Handling Undecryptable Traffic
There are several characteristics that make a connection undecryptable. If a connection has any of the following characteristics, the default action is applied to the connection regardless of any rule the connection would otherwise match. If you select Block as your default action (rather than Do Not Decrypt), you might run into issues, including excessive drops of legitimate traffic.
-
Compressed session—Data compression was applied to the connection.
-
SSLv2 session—The minimum supported SSL version is SSLv3.
-
Unknown cipher suite—The system does not recognize the cipher suite for the connection.
-
Unsupported cipher suite—The system does not support decryption based on the detected cipher suite.
-
Session not cached—The SSL session has session reuse enabled, the client and server reestablished the session with the session identifier, and the system did not cache that session identifier.
-
Handshake errors—An error occurred during the SSL handshake negotiation.
-
Decryption errors—An error occurred during the decryption operation.
-
Passive interface traffic—All traffic on passive interfaces (passive security zones) is undecryptable.