Palo Alto Networks Knowledgebase: Packet dropped with message 'proxy decrypt failure' in session detail
Packet dropped with message 'proxy decrypt failure' in session detail
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
GlobalProtect cloud service
When SSL decryption is turned on and when trying to access a particular website, packets get dropped with the message 'proxy decrypt failure' in session detail. This article will explain one of the probable causes for it and how to fix it.
Packets are dropped for a particular website. When checking 'show session all filter source <src-ip>' and associated 'show session <id> ' shows that the packet is discarded with the tracker stage firewall as 'proxy decrypt failure' as below:
Running global counters shows an 'unsupported SSL protocol' message:
If the webserver and client can only negotiate a cipher suite that is unsupported, the connection will be dropped because it cannot be decrypted.