TLS HTTP/2 web pages are not loading after upgrading panos to 9.1.14
4782
Created On 06/12/22 22:22 PM - Last Modified 04/24/24 18:36 PM
Symptom
- Firewall upgraded to PAN-OS 9.1.14
- TLS web pages will fail to load for http/2 traffic if traffic is decrypted
- There are no issues seen for TLS traffic using http/1.1
Environment
- All platforms including VM firewalls
- PAN-OS 9.1.14
- http/2 traffic
- SSL decryption enabled
Cause
If you enable packet capture filters using the IP of the server in question and you run global counters you should be able to confirm if traffic is http2
You should also be able to see the warning counter message "Number of unsupported ssl ext in server hello" as shown below
> show counter global filter packet-filter yes delta yes
ssl_unsupported_server_extension 2 0 warn ssl pktproc Number of unsupported ssl ext in server hello
http2_process 1 0 info http2 pktproc Number of http2 connection process
http2_stream_session_alloc 1 0 info http2 pktproc Number of http2 stream sessions allocated
If your firewall is showing the same symptoms, then you are likely to be hitting PAN-194395Resolution
Workaround
- Select the decryption profile which is attached to the decryption Policy using GUI: Objects > Decryption > Decryption Profile > (Select the profile used)
- On the SSL Forward Proxy tab select Strip ALPN. With this setting, the firewall negotiates HTTP/1.1 instead of HTTP/2
- If the above workaround is not suitable, Downgrade the PAN-OS version below 9.1.14
Currently the PAN-OS release version that will resolve this issue is still pending.
Additional Information
PAN-189468 is listed under panos 9.1.14 Known Issues in the following release note:
PAN-OS 9.1.14 Known Issues