Traffic log shows Session End Reason = 'decrypt-unsupport-param' after updating a browser (Microsoft Edge or Google Chrome) to 124 and Higher
26527
Created On 05/02/24 00:24 AM - Last Modified 01/03/25 15:24 PM
Symptom
Traffic log shows Session End Reason = 'decrypt-unsupport-param' after updating a browser(Microsoft Edge or Google Chrome) to 124 and Higher.
Environment
- Prisma Access
- Traffic log
- Decryption
- NGFW (PAN-OS)
Cause
Segmented client hello packets received out of order the is dropped without even going to proxy.
Resolution
From the drop down select option "Disable" to disable "TLS 1.3 hybridized Kyber support" in the browser.
- Open the browser tab.
- Copy paste the following for Microsoft Edge.
edge://flags/#enable-tls13-kyber
- For Google Chrome copy/paste the following in the tab.
chrome://flags/#enable-tls13-kyber
Note: The issue has been fixed in the newer releases. If the issue persists, please request for PAN-253546 fix release in Prisma access with a support case.
Additional Information
This issue was announced by the following incident report.
Recommendations for Addressing Site Access Challenges with Decryption on Google Chrome Browser 124 and Higher