Packet dropped with message 'proxy decrypt failure' in session detail

Packet dropped with message 'proxy decrypt failure' in session detail

38107
Created On 09/26/18 13:49 PM - Last Modified 09/28/20 23:02 PM


Symptom


When SSL decryption is turned on and when trying to access a particular website, packets get dropped with the message 'proxy decrypt failure' in session detail. This article will explain one of the probable causes for it and how to fix it.

Packets are dropped for a particular website. When checking 'show session all filter source <src-ip>' and associated 'show session <id> ' shows that the packet is discarded with the tracker stage firewall as 'proxy decrypt failure' as below:

session_deny.JPG

Running global counters shows an 'unsupported SSL protocol' message:

Counter deny logs

If the webserver and client can only negotiate a cipher suite that is unsupported, the connection will be dropped because it cannot be decrypted.

Resolution


Workaround
  • Create a no-decrypt rule for that destination
     (or)
  • Choose a cipher suite that is supported on the firewall

Additional Information


To learn more about supported cipher suites, see Palo Alto Networks Supported SSL/TLS Version and Cipher Suites for Web UI
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqqCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language