Why traffic is being dropped as "Client and Decryption profile mismatched"
16940
Created On 10/09/20 23:27 PM - Last Modified 12/29/23 16:10 PM
Question
The traffic is dropped with an error "Client and Decryption profile mismatched"; What is this error, and how can I fix it?
Environment
All PAN-OS
Answer
Answer: The main reason for "Client and Decryption profile mismatch" is cipher suite version mismatch. You can filter out such logs using the query error containing 'Client and decrypt profile mismatch' in Monitor -> Logs->Decryption. The logs will appear as the following:
Client and Decryption profile mismatched, supported client version bitmask is 0x08 and supported decryption profile bit mask is 0x70
This error happens when the cipher offered by the server doesn't match with the client. The hexadecimal codes identify the exact version that the client supports and the exact version that the Decryption profile supports.
Identify the value of bitmask:
- Log in to CLI to look up the bitmask values.
admin@PA> debug dataplane show ssl-decrypt bitmask-version 0x70 TLSv1.1 TLSv1.2 TLSv1.3 admin@PA.VM> debug dataplane show ssl-decrypt bitmask-version 0x08 TLSv1.0 admin@PA.VM> debug dataplane show ssl-decrypt bitmask-version 0x10 TLSv1.1Question: How can we fix it?
Answer: After finding the mismatch you can update the client so it can accept matching and secure the TLS version. If the client can't be updated, you can edit the decryption profile.
More information can be found at https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/troubleshoot-unsupported-cipher-suites.html