Traffic log shows Session End Reason = 'decrypt-unsupport-param' after updating a browser (Microsoft Edge or Google Chrome) to 124 and Higher

Traffic log shows Session End Reason = 'decrypt-unsupport-param' after updating a browser (Microsoft Edge or Google Chrome) to 124 and Higher

13203
Created On 05/02/24 00:24 AM - Last Modified 07/16/24 04:21 AM


Symptom


Traffic log shows Session End Reason = 'decrypt-unsupport-param' after updating a browser(Microsoft Edge or Google Chrome) to 124 and Higher.

Environment


  • Prisma Access
  • Traffic log
  • Decryption

Cause


Segmented client hello packets received out of order the is dropped without even going to proxy.

Resolution


Disable "TLS 1.3 hybridized Kyber support" in the browser.
  1. Open the browser tab.
  2. Copy paste the following for Microsoft Edge.
edge://flags/#enable-tls13-kyber
  1. For Google Chrome copy/paste the following in the tab.
chrome://flags/#enable-tls13-kyber
​​​​
Note: The issue has been fixed in the newer releases. If the issue persists, please request for PAN-253546 fix release in Prisma access with a support case.

Additional Information


This issue was announced by the following incident report.
Recommendations for Addressing Site Access Challenges with Decryption on Google Chrome Browser 124 and Higher
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OiLCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language