Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX-IDP] SSL sessions not being decrypted with destination NAT configured

0

0

Article ID: KB27296 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
This article  An administrator may have a problem where he has set up SSL decryption and cannot get sessions to decrypt
Symptoms:
An administrator may encounter a problem where after configuring SSL decryption, the sessions fails to decrypt. Looking at the output of "show security idp counters ssl-inspection" an output similar to: "Sessions Not Decrypted - No Key" can be found.

IDP counter type Value
Packets Decrypted 0
Sessions Decrypted 0
Sessoins Not Decrypted 50
Sessions Not Decrypted - Configuration 0
Sessions Not Decrypted - No Key 50
Sessions Not Decrypted - Unsupported Ciphers 0
Sessions Not Decrypted - Unsupported Compression 0
Sessions Not Decrypted - Unsupported Key Exchange 0
Sessions Not Decrypted - Bulk Decryption Failure 0
Sessions Not Decrypted - Key Generation Failure 0
Sessions Not Decrypted - Temporary Certificate 0
Sessions Not Decrypted - Handshake Verification Failure 0
Sessions Not Decrypted - ID Cache Miss 0
Sessions Not Decrypted - Session Limit 0
Sessions Not Decrypted - Message Size 0
Sessions Not Decrypted - No Memory 0
Sessions New Key 50
Sessions Used Key 0
Session ID Cache Hits 0
Session ID Cache Misses 0
Sessions Used XLR RSA SAE for Key Decryption 0
Sessions - Error when XLR RSA SAE used 0


Cause:

In the case of destination NAT, it has to do with the ordering of services. IDP is done before destination NAT. If the customer has the post Destination NAT address configured in the SRX's SSL key store, it will not match.

Solution:
The server key's IP address needs to be changed to reflect the pre-destination NAT address. Due to the processing order of services, without it, the destination IP address will not match the destination IP address of the server key. Use the following command to add or delete keys to fix this:

request security idp ssl-inspection key add
request security idp ssl-inspection key delete


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search