Palo Alto Networks Knowledgebase: Packet dropped with message 'proxy decrypt failure' in session detail

Packet dropped with message 'proxy decrypt failure' in session detail

4904
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
GlobalProtect GlobalProtect cloud service
Resolution

 

Issue

When SSL decryption is turned on and when trying to access a particular website, packets get dropped with the message 'proxy decrypt failure' in session detail. This article will explain one of the probable causes for it and how to fix it.

 

Packets are dropped for a particular website. When checking 'show session all filter source <src-ip>' and associated 'show session <id> ' shows that the packet is discarded with the tracker stage firewall as 'proxy decrypt failure' as below:

 

session_deny.JPG

 

Running global counters shows an 'unsupported SSL protocol' message:

 

Counter_deny logs.JPG

 

If the webserver and client can only negotiate a cipher suite that is unsupported, the connection will be dropped because it cannot be decrypted.

 

Click to learn more about supported cipher suites .

 

Workaround

  • Create a no-decrypt rule for that destination
     (or)
  • Choose a cipher suite that is supported on the firewall.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqqCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language