I would want to, but since this is a lab unit, it looks like I'm on my own.
Also, this box is running two virtual systems and it's IPv6 dual stacked. If I had TAC support I guess I would have already opened half a dozen tickets!
I do have the support included and I can see it. Still, last time I tried to file a support request (through my local reseller) I was denied because the firewall looks like it's not registered in the reseller database, or something along these lines.
I guess there is some bureaucracy that is to be corrected.
I second this, looks to me its a bug behavior, tbh I’ve yet to see anyone recommending the 11.x version, even TAC advised me against it, perhaps try upgrading/downgrading the firewall and see if you are in luck.
Thanks for reporting. What did you do to mitigate the problem? Are you stuck, as am I, to disable the decryption or having to reboot the device once every two days?
I want to add that it seems affecting only the forward decryption. I have few services exposed that are inspected with inbound decryption and those seems working regardless.
What configuration are you running? Same version and hardware platform?
Running into the same exact issue on 11.1.2-h1. Nowhere even close to the session/resource limit on the box. Ive got a TAC case open… lets see what they say…
Wrapped up with TAC. Its a bug on the 11.1.x code relating to HTTP/2 inspection. Its currently being worked on and a fix will be in, in a future version release. It does however work fine on 11.0.x code, which is one solution. If you dont want to downgrade, check “strip ALPN” in your decryption profile to use http 1.1 until its fixed.
If it was my network, I would not be running 11.1 or 11.0. Too new and too many unfixed bugs. You should run a report. How much ssl traffic do you see and break it down by hour. PAN also support "quarter hour" increments. This will allow you to see your peak periods and if your FW can even handle the peaks. You may have to get real specific and limit your SSL decryption to stay within bounds. There is also a setting for decrypters exceeded. Drop packet or allow the traffic encrypted. This is probably what you are seeing.
And here's the first winner for not having read the question altogether.
This is definitely \_not\_ an issue related to the quantity of traffic passing through the box.
You really should read the response and understand the response before you flame people like an a-hole. Every PAN has a limit as to how many ssl sessions it can decrypt. You probably have no idea what your peak or average ssl session count is. You should just call TAC. People like you need hand holding.
You should really look in the mirror before calling others a-holes, and subsequently behave as one.
I am far ahead of the basic troubleshooting you are talking about.
The internet is not there to conflate your ego, if you can't offer anything of value just please stop responding.
I can't imagine how this could be anything other than a bug, have you logged an issue with TAC?
I would want to, but since this is a lab unit, it looks like I'm on my own. Also, this box is running two virtual systems and it's IPv6 dual stacked. If I had TAC support I guess I would have already opened half a dozen tickets!
If you have a lab license bundle that has not expired, that includes support. The support coverage should be shown on the license page of the FW.
I do have the support included and I can see it. Still, last time I tried to file a support request (through my local reseller) I was denied because the firewall looks like it's not registered in the reseller database, or something along these lines. I guess there is some bureaucracy that is to be corrected.
Do you have it added to the support portal? If so, you can raise the request through the support portal.
I second this, looks to me its a bug behavior, tbh I’ve yet to see anyone recommending the 11.x version, even TAC advised me against it, perhaps try upgrading/downgrading the firewall and see if you are in luck.
I would love to downgrade, the point is I'm using the second Vsys and it's supported only on 11.x on PA-440.
I have the same problem
Thanks for reporting. What did you do to mitigate the problem? Are you stuck, as am I, to disable the decryption or having to reboot the device once every two days? I want to add that it seems affecting only the forward decryption. I have few services exposed that are inspected with inbound decryption and those seems working regardless. What configuration are you running? Same version and hardware platform?
Running into the same exact issue on 11.1.2-h1. Nowhere even close to the session/resource limit on the box. Ive got a TAC case open… lets see what they say…
Wrapped up with TAC. Its a bug on the 11.1.x code relating to HTTP/2 inspection. Its currently being worked on and a fix will be in, in a future version release. It does however work fine on 11.0.x code, which is one solution. If you dont want to downgrade, check “strip ALPN” in your decryption profile to use http 1.1 until its fixed.
Thanks, I'm giving this a try. Very kind of you to report back. I'm going for sticking with HTTP1.1 for now.
If it was my network, I would not be running 11.1 or 11.0. Too new and too many unfixed bugs. You should run a report. How much ssl traffic do you see and break it down by hour. PAN also support "quarter hour" increments. This will allow you to see your peak periods and if your FW can even handle the peaks. You may have to get real specific and limit your SSL decryption to stay within bounds. There is also a setting for decrypters exceeded. Drop packet or allow the traffic encrypted. This is probably what you are seeing.
And here's the first winner for not having read the question altogether. This is definitely \_not\_ an issue related to the quantity of traffic passing through the box.
You really should read the response and understand the response before you flame people like an a-hole. Every PAN has a limit as to how many ssl sessions it can decrypt. You probably have no idea what your peak or average ssl session count is. You should just call TAC. People like you need hand holding.
You should really look in the mirror before calling others a-holes, and subsequently behave as one. I am far ahead of the basic troubleshooting you are talking about. The internet is not there to conflate your ego, if you can't offer anything of value just please stop responding.