SSH attempt fails with session end reason "decrypt-error" when decryption is in use

SSH attempt fails with session end reason "decrypt-error" when decryption is in use

2724
Created On 05/06/24 22:30 PM - Last Modified 01/10/25 22:27 PM


Symptom


  • Decryption policy is enabled for SSH.
  • The SSH attempt fails with session end reason "decrypt-error" .
  • SSH session works without decryption in place.
  • Packet captures provide the information related to Multi Precision Integer Length shown below.
Key Exchange (method:diffie-hellman-group-exchange-sha256)
    Message Code: Diffie-Hellman Group Exchange Group (31)
    Multi Precision Integer Length: 1025  <<======
  • Flow basic and proxy basic logs will report the error message as below. 

pan_ssh_dh_deep_copy_and_free() failed -60
pan_ssh_kexgex_client() failed with -60
pan_ssh_process_key_exchange() failed with -44

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • SSH decryption enabled

Cause


The SSH server is using a precision integer of greater than 512 bytes.

Resolution


Reduce the precision integer value to 512 bytes.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HD7BCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail