The Session End Reason column in Traffic logs now includes additional end reasons pertaining to terminated SSL/SSH sessions. You can use this information to troubleshoot access issues for internal users requesting external services or for external users requesting internal services. If a session ends for multiple reasons, the field displays only the highest priority reason based on the following list, where the first reason in the list is the highest priority (the decrypt- prefix indicates an SSL/SSH session end reason): threat, policy-deny, decrypt-cert-validation, decrypt-unsupport-param, decrypt-error, tcp-rst-from-client, tcp-rst-from-server, resources-unavailable, tcp-fin, tcp-reuse, decoder, aged-out, and unknown.
Diagnose SSL/SSH Session Terminations
The SSL/SSH session end reasons indicate that a session ended because you configured a firewall decryption rule with a Decryption Profile that blocks SSL forward proxy decryption or SSL inbound inspection when one (or more) of the following conditions occurs:
SSL/SSH Session End Reason Conditions
decrypt-cert-validation The session used client authentication or used a server certificate with one or more of the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. This session end reason is also displayed when the server certificate produced a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED (SSLv3 only).
decrypt-unsupport-param The session used an unsupported protocol version, cipher, or SSH algorithm. This session end reason is also displayed when the session produced a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.
decrypt-error Firewall resources or the hardware security module (HSM) were unavailable for the session. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSH errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupport-param end reasons.
Monitor SSL/SSH Session Termination Events
To see session end reasons, select Monitor > Logs > Traffic and check the Session End Reason column.
To configure a custom report that lists SSL/SSH session termination events, perform the following steps.
Monitor SSL/SSH Session Termination Events
Configure the report parameters. Select Monitor > Manage Custom Reports and Add a new report. Enter a Name for the report. In the Database drop-down, under Detailed Logs, select Traffic Log. Select Scheduled to automatically run the report each night. In the Available Columns list, double-click Session_end_reason and any other columns you want the report to include.
Configure queries if you want to filter the report. This example shows how to configure the report to display only SSL/SSH session termination events as shown in the following screen capture. Perform the following steps for each SSL/SSH session end reason: Set the Connector to or. Set the Attribute to Session End Reason. Set the Operator to equal. Set the Value to an SSL/SSH session end reason. Add the query to the Query Builder field.
Test and save the report. Run Now to test the report settings; a new tab within the dialog displays the report. Modify the settings as needed and then click OK and Commit.

Related Documentation