Cut through rules configured in SSL Visibility 4.x that use the unsupported-sites or custom Domain Name Lists may not match and end up getting decrypted resulting in an error message in the SSL Session Log.
SSL Visibility 4.x does not match cut-through rules if the X.509 certificate is invalid. In some cases the sites in the unsupported-sites list are not configured to send the full certificate chain, causing the certificate to be considered invalid due to an Incomplete Chain. This results in a mismatch on the unsupported-sites entry. One such site that Symantec is aware of is courier.push.apple.com.
To successfully cut through traffic to courier.push.apple.com do one of the following in order of preference:
1. Add the Server Certificate to the Trusted Certificate List
2. Create a new External Certificate Authorities list with the intermediate and root CA's
3. Starting in 126.96.36.199 a new option to "Ignore Certificate Status" was introduced. This allows the SSLV to cut-through a flow even if the certificate status in not valid. See ArticleID: 176095 for more details.