This article  An administrator may have a problem where he has set up SSL decryption and cannot get sessions to decrypt

An administrator may encounter a problem where after configuring SSL decryption, the sessions fails to decrypt. Looking at the output of "show security idp counters ssl-inspection" an output similar to: "Sessions Not Decrypted - No Key" can be found.

IDP counter type Value
Packets Decrypted 0
Sessions Decrypted 0
Sessoins Not Decrypted 50
Sessions Not Decrypted - Configuration 0
Sessions Not Decrypted - No Key 50
Sessions Not Decrypted - Unsupported Ciphers 0
Sessions Not Decrypted - Unsupported Compression 0
Sessions Not Decrypted - Unsupported Key Exchange 0
Sessions Not Decrypted - Bulk Decryption Failure 0
Sessions Not Decrypted - Key Generation Failure 0
Sessions Not Decrypted - Temporary Certificate 0
Sessions Not Decrypted - Handshake Verification Failure 0
Sessions Not Decrypted - ID Cache Miss 0
Sessions Not Decrypted - Session Limit 0
Sessions Not Decrypted - Message Size 0
Sessions Not Decrypted - No Memory 0
Sessions New Key 50
Sessions Used Key 0
Session ID Cache Hits 0
Session ID Cache Misses 0
Sessions Used XLR RSA SAE for Key Decryption 0
Sessions - Error when XLR RSA SAE used 0

In the case of destination NAT, it has to do with the ordering of services. IDP is done before destination NAT. If the customer has the post Destination NAT address configured in the SRX's SSL key store, it will not match.

The server key's IP address needs to be changed to reflect the pre-destination NAT address. Due to the processing order of services, without it, the destination IP address will not match the destination IP address of the server key. Use the following command to add or delete keys to fix this:

request security idp ssl-inspection key add
request security idp ssl-inspection key delete