Users are not able to connect to common Web Applications such as Google, OWA, Teams, Outlook via WSS
Traffic is going through Palo Alto IPSEC firewall into WSS using Trans-Proxy access method
Reports show that most requests from users experiencing this issue report a 'connect_method_denied' verdict
Problem only started last day or so
Palo Alto firewall dropping responses from WSS
Palo Alto firewall running version 8.1.12
IPSEC tunnel into WSS
PAC file pushed down to user to point to trans-proxy endpoint (126.96.36.199:80)
Upgrade to latest version of Palo Alto Firewall OS (this problem was caused by a bug in version 8.1.12).
Can workaround the problem on older Palo Alto code base by applying following Firewall command to disable the option that triggered the issue
set system setting ctd nonblocking-pattern-match disable
HTTP logs from WSS showed the 'connect_method_denied' verdict for all user request with time taken of 30 seconds. This 30 second timeout was triggered when the client failed to complete SSL handshake within that timeframe.
PCAPs from user showed that each CONNECT HTTP methods would fail to get a 200 'COnnection established' response from WSS; this would trigger resets but host would never see expected 200 status back.
PCAPs from firewall showed it got the 200 status response back from WSS, but never got the expected TLS client_hello message that typically follows the connection stablishment.