Unable to access Clientless VPN application with session end reason as "policy-deny"

Unable to access Clientless VPN application with session end reason as "policy-deny"

1282
Created On 10/06/23 16:34 PM - Last Modified 07/12/24 21:01 PM


Symptom


  • Application configured under Clientless VPN fails to launch.
  • Session information displays end reason as "policy-deny"
  • Tracker stage Firewall display "proxy decrypt failure"
c2s flow:
source: X.X.X.X [vpn-remote-access]
dst: X.X.X.X
proto: 6
sport: 23227 dport: 443
state: DISCARD type: FLOW
src user: test1
dst user: 
offload: Yes

s2c flow:
source: X.X.X.X [inside]
dst: X.X.X.X
proto: 6
sport: 443 dport: 23227
state: DISCARD type: FLOW 
src user:
....(OUTPUT OMITTED)
tracker stage firewall : proxy decrypt failure
end-reason : policy-deny
Proxy Info:
Proxy Flow
Index: 4652712, Type: revert, Tag: 104905, Dir: stc
Stopped

  • When dataplane logs are enabled with debug, "unexpected message" and "handshake failed" messages are seen in pan_packet_diag.log (less dpx-log pan_packet_diag.log).

0700 debug: pan_ssl3_decode_record(pan_ssl3.c:980): after decode 12
0700 debug: pan_ssl_proxy_parse_record(pan_ssl_proxy.c:378): decoded record length 4
0700 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1151): unexpected message client hs_type 0 
-0700 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:233): pan_ssl3_process_handshake_msg() failed -1
-0700 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:621): pan_ssl_parse_record() failed
X.X.X.X[23227]-->X.X.X.X[443]
-0700 pan_proxy_handle_error(pan_proxy.c:2448): handle error -1
2023-09-29 11:09:23.242 -0700 debug: pan_proxy_ssl_check_block_error(pan_proxy.c:2431): In session(104905), encounters error_id(-1 PAN_SSL_ERROR_GENERAL), action: skip
-0700 debug: pan_proxy_ssl_proc_data(pan_proxy_ssl.c:1396): pan_ssl_proxy_parse_data() failed -1, not block


Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Clientless VPN Portal

Cause


  • Application server triggers an SSL renegotiation.
  • This causes the session to be terminated by the Firewall because SSL renegotiation is not supported.

Resolution


  1. The issue is fixed under PAN-229069  and is fixed in 10.2.8, 11.0.4, 11.1.3.
  2. Upgrade to the above version or higher will resolve the issue.
  3. As a workaround, Disable SSL renegotiation on the Application Server (if possible).

Additional Information


12 July 24 (Vijay) - Article reviewed with Prathyusha and published external.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g2LxCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail