TLS connections may fail to establish in asymmetric routing environments

TLS connections may fail to establish in asymmetric routing environments

13964
Created On 02/14/25 07:15 AM - Last Modified 10/30/25 06:12 AM


Symptom


  • Packet forwarding in asymmetric routing environment.
  • Firewall only receives client-to-server direction packets due to asymmetric routing.
  • Client Hello from the client arrives in multiple packets.
  • A client unable to establish SSL/TLS session.
  • Firewall does not see server-to-client (s2c) packet of the TLS handshake.
  • This only affects SSL sessions.

Environment


  • Palo Alto Firewalls.
  • PAN-OS versions with PAN-247099 fix which are 11.2.2, 11.1.5, 11.0.7, 10.2.11,  or later.
  • SSL Decryption.
  • Asymmetric Routing. 

Cause


  • PAN-247099 is addressed in the above releases.
  • With this fix, the accumulation proxy is enabled by default.
  • If accumulation proxy is engaged on the session, it will not be disengaged until the firewall receives Server Hello.
  • Due to asymmetric routing, a firewall may not receive the Server Hello at all.
  • When Server hello is not received, the Firewall will not pass ACK packets from the client until the accumulation proxy is disengaged.
  • It happens when decryption rule is configured on that firewall, even if the corresponding session is not decrypted.

Resolution


  1. The complete fix will be available in the following versions under PAN-279500.
    11.2.7, 11.1.11, 11.1.10-h1, 11.1.6-h14, 10.2.17
  2. The temporarily workaround is disabling accumulation proxy on the firewall.
    > debug dataplane set ssl-decrypt accumulate-client-hello disable yes
  3.  Another workaround is disabling PQC from the client browser. Due to this being done on every browser, it may not be scalable.
    • Chrome : chrome://flags/#enable-tls13-kyber
    • Edge :  edge://flags/#enable-tls13-kyber 
    • TLS 1.3 hybridized Kyber support(TLS 1.3 post-quantum key agreement) > Select "Disabled" > Relaunch

Additional Information


The following commands needs to be executed after upgrade to the versions with fix for  PAN-279500.

debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes
  • This change is reboot persistent.
  • This change is not sync between HA devices, hence you must execute this command on both HA peer.
  • No impact to the existing traffic.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TperCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language