Cannot get SSL decrypt to work on Azure with AZ App Gateway

Cannot get SSL decrypt to work on Azure with AZ App Gateway

14888
Created On 06/05/19 21:55 PM - Last Modified 09/09/20 03:15 AM


Symptom


  • When SSL decryption is configured, the websites fail to load and the following message is displayed.
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://<url name> again.
If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as
RC4 (link for the details),   which is not considered secure. Please contact your site administrator.
  • When conducting packet captures, the following is seen:
    • The client hello that is seen uses cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 which is indeed supported and fine for both forward-proxy and inbound inspection.
    • When it gets to the server hello, it does not see enough data and the key exchange fails due to the unsupported curve with the message "unsupported curve_name 29" & "parse_server_key_exchange_msg(ecdhe) failed".\
  • When taking Global Counters the following is seen: 
    proxy_process 1 0 info proxy pktproc Number of flows go through proxy
proxy_client_hello_failed 1 0 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed
proxy_reverse_unsupported_protocol 1 0 warn proxy pktproc The number of sessions failed for reverse proxy because of ssl protocol
proxy_decrypt_unsupport_param_overall 1 0 info proxy pktproc Overall number of decrypted packet unsupport param failure
proxy_decrypt_error_overall 1 0 info proxy pktproc Overall number of decrypt error(not including cert validation and unsupport param)
proxy_sessions 1 0 info proxy pktproc Current number of proxy sessions
proxy_sessions_inbound 1 0 info proxy pktproc Current number of SSL-Inbound decrypted sessions (minus DHE/ECDHE)
ssl_client_sess_ticket 1 0 info ssl pktproc Number of ssl session with client sess ticket ext
ssl_extended_master_secret 1 0 info ssl pktproc Number of ssl session created using extended master extension
  • When investigating the session details: 
    test@AZEUS2SVOPFW01.IEDGE> show session id 122012
.....
tracker stage firewall : proxy decrypt failure
end-reason : decrypt-error

Environment


  • Microsoft Azure Gateway
  • PAN-OS 8.1 and above.

Cause


Palo Alto Supports only NIST-approved Elliptical Curves for SSL/Decryption from the list below.
  • *P-192 (secp192r1)
  • *P-224 (secp224r1)
  • *P-256 (secp256r1)
  • *P-384 (secp384r1)
  • *P-521 (secp521r1)
Refer: PAN-OS 8.1 Decryption Cipher Suites

 

Resolution


  • This is not an issue with Palo Alto. It is working as expected within design limits.
  • x25519 needs to be disabled and any other named curves from your server so it can work successfully without any decryption issues.
  • if we need to use x25519, please reach out to your SE for a feature request.

How to disable curve25519 / x25519 key exchange on Windows Server 2016
 

Additional Information



How To Check Global Counters For A Specific Source And Destination IP Address
How To View Active Session Information Using The CLI.


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM6TCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language