Accessing certain https websites fail due to missing server hello.

• Palo Alto Firewalls
• Supported PAN-OS
• Client behind firewall accessing https websites

• The PC does not receive the server hello during TLS negotiation.
• Possible MTU issue.

1. Apply a filter with source and destination to capture traffic and see the counters.
2. Run the "show counter global filter packet-filter yes delta yes" command twice. This will clear old counter values.
3. Try connecting to the website with issues using the "https://<url>".
4. Rerun the "show counter global filter packet-filter yes delta yes" command  and check for counters for MTU listed below.

:flow_fwd_mtu_exceeded   7   0 info      flow   forward   Packets lengths exceeded MTU
:flow_fwd_ip_df          5   0 drop      flow   forward   Packets dropped: exceeded MTU but DF bit present

5. Check the pcap captured to see the packet at "drop" stage, This will display the dropped packets. The server hello in drop stage will confirm packet drop due to MTU issue.
6. If the firewall has the counters mentioned above and the server hello is at "drop" stage: ​​​​​

• Review the firewall interfaces where the traffic is passing and confirm that MTU configured there is the same that MSS negotiated during TCP handshake.

7. if  the counters do not show any MTU issue and the pcap at any stage does not show the server hello:

• The issue is not in the firewall.
• Review the other devices in the patch to confirm if the drop is occuring in other devices in the path.
• One possibility is that a tunnel after the firewall (IPSEC or GRE) or any other device where the MTU is less than the MSS negotiated during TCP handshake.

8. If the issue points to firewall and assistance is required for troubleshooting, open a Support case with the above details.

• How to verify MTU exceeded
• TCP MSS adjustment for IPSEC traffic 
• Getting started: Packet capture