SSH sessions failing with the "decrypt-error" in the traffic logs

SSH sessions failing with the "decrypt-error" in the traffic logs

3258
Created On 04/29/22 03:21 AM - Last Modified 06/04/24 21:38 PM


Symptom


SSH sessions failing with the decrypt-error in the traffic logs (show log traffic).

 

Environment

Cause


Decrypted SSH sessions start failing through the firewall.
  • Check the number SSH related pools to see if it is exhausted.
> debug dataplane pool statistics | match SSH
[13] SSH Handshake State ( 6512): 511/512 0x80000003da682400
[14] SSH State (3200): 2/4096 0x80000003da9b0d00. >>>> (2/4096 = available/total)
  • If SSH state pool is exhausted, Check the number of SSH sessions decrypted through the firewall.
> show session all filter application ssh count yes
Number of sessions that match filter: 4186
  • The maximum number of SSH decrypted sessions supported is based on the platform. 
  • Maximum supported SSH decrypt sessions count can be found using the following command.
> show system state filter cfg.general.max-ssh-proxy-session
cfg.general.max-ssh-proxy-session: 4096. >>>> value based on the platform.


 

Resolution


  1. Identify the source that is maxing out the number of SSH decrypt sessions supported.
> show session all filter application ssh 
  1. Configure a no-decrypt decryption rule for the SSH traffic.
  2. Commit the changes.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OPxCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail