Packet dropped with message 'proxy decrypt failure' in session detail
43551
Created On 09/26/18 13:49 PM - Last Modified 08/16/24 09:22 AM
Symptom
When SSL decryption is turned on and when trying to access a particular website, packets get dropped with the message 'proxy decrypt failure' in session detail. This article will explain one of the probable causes for it and how to fix it.
Packets are dropped for a particular website. When checking show session all filter source <src-ip> and associated show session <id> shows that the packet is discarded with the tracker stage firewall as 'proxy decrypt failure' as below:
Running global counters shows an 'unsupported SSL protocol' message:
If the webserver and client can only negotiate a cipher suite that is unsupported, the connection will be dropped because it cannot be decrypted.
Environment
- Any Firewall
Resolution
Workaround
- Create a no-decrypt rule for that destination
(or) - Choose a cipher suite that is supported on the firewall
Additional Information
To learn more about supported cipher suites, see Palo Alto Networks Compatibility Matrix