The firewall intermittently drops IPv6 traffic after the upgrade

• Intermittent and potentially rare connection failures when accessing services over IPv6.
• The connection failures are browser-dependent. For example, the issue is observed in Google Chrome, but connections work correctly in Mozilla Firefox.
• A packet capture will show the server terminating the connection with a TCP Reset (RST) immediately after the client sends its "Client Hello" packet.

• PANOS above PAN-247099
• PANOS includes a fix for PAN-282236
• Any Firewall with IPv6 traffic passing through.
• Accumulation proxy
• Decryption is enabled for related or unrelated traffic.

During the SSL/TLS handshake, the firewall is unintentionally removing the IPv6 flow label from large "Client Hello" packets. This causes the destination server to view the handshake attempt as invalid and terminate the connection with a TCP Reset (RST).

PACKET_CAPTURE

The issue is with a rare occurrence; however, there are a couple of workarounds. Either one of them should work: 

1. Disable the accumulation proxy. (Kindly bear in mind that the impact of disabling it is more harmful than the IPv6 failures.)

   1. debug dataplane set ssl-decrypt accumulate-client-hello disable yes

2. Disable PQC ciphers on Chrome browser.

   1. Chrome : chrome://flags/#enable-tls13-kyber
      Edge :  edge://flags/#enable-tls13-kyber 
      
      TLS 1.3 hybridized Kyber support(TLS 1.3 post-quantum key agreement) > Select "Disabled" > Relaunch

3. Initiate the traffic by setting the flow label to 0. 

Long Term Solution: 

• Upgrade to a version where PAN-287423 is fixed, ETA is 11.2.8, 11.1.11

Firefox will fall back to use normal ciphers if PQC didn't succeed, that's why you won't notice the issue on Firefox.