SSL Inbound decryption causing packet drops and resource depletion
10717
Created On 01/24/25 15:52 PM - Last Modified 07/03/25 14:27 PM
Symptom
- Intermittent SSL decryption failures.
- The error message similar to below are seen in the decryption logs ( Monitor > Logs > Decryption)
- SSL handshake failure: 'Certificate unknown'.
- err-connection-reset.
- Site has no certificate.
- Traffic logs ( Monitor > Logs > Traffic ) may show the following error
- resource-unavailable (packets will also be dropped with this session end reason)
Environment
- Palo Alto Networks Firewalls.
- PAN-OS versions below 10.2.14, 11.1.8 and 11.2.5.
- SSL Decryption
Cause
- This issue arises due to the hybridized Kyber support for TLS 1.3 on modern browsers.
- The problem occurs when the SSL client hello packet becomes too large and is fragmented.
- Clients send large client hello and TLS early data and the early data arrives in a completely separate packet from the last part of the client hello
- SSL decryption fails with fragmented client hello packets.
Resolution
- The issue is addressed under PAN-270549 and is resolved in PAN-OS 10.2.14, 11.1.8, 11.2.5 and higher versions.
- Upgrading to the fixed versions will resolve the issue.
TEMPORARY fix
- Disable the accumulation proxy using "debug dataplane set ssl-decrypt accumulate-client-hello disable yes".
- To check if the command is enabled use "show system state | match accumulate" command. This will return a "True" value.
- The accumulation proxy can be re-enabled by using the command "debug dataplane set ssl-decrypt accumulate-client-hello disable no".
- The "show system state | match accumulate" will now display empty output.
Warning:
- The temporary fix must be used with caution and only for confirming the issue.
- This temporary fix may cause sessions to match the wrong decryption policy or decryption to fail due to not accumulating and organizing the large Client Hellos.
- This command should be for testing purposes and an upgrade to a stable version should be sought.
CLI outputs when the accumulation proxy is enabled and disabled.
> debug dataplane set ssl-decrypt accumulate-client-hello disable yes
> show system state | match accumulate
cfg.ssl-decrypt.accumulate-client-hello.disable: True
> debug dataplane set ssl-decrypt accumulate-client-hello disable no
> show system state | match accumulate
Additional Information
- Accumulation Proxy is enabled on PAN-OS versions after 10.2.8-h10
- User's connection is not decrypted as configured due to TLS1.3 Kyber Support on browser