You want to know why do you see in SSLV Session Logs "TLS_CLIENT:Unexpected extension" and rule decrypt is failing
If you look what extensions Client Hello is sending
Server Hello is sending extra extension that Client Hello didn't send it. In that case Client will send alert TLS_CLIENT:Unexpected extension
According to RFC
In the TLS 1.2 RFC Section 7.4.1.4 [rfc-editor.org] it says the following:
An extension type MUST NOT appear in the ServerHello unless the same extension type appeared in the corresponding ClientHello. If a client receives an extension type in ServerHello that it did not request in the associated ClientHello, it MUST abort the handshake with an unsupported_extension fatal alert.
For TLSv1 and TLSv1.1 look to RFC 3546 which applies to both versions.
Note that for all extension types (including those defined in future), the extension type MUST NOT appear in the extended server hello unless the same extension type appeared in the corresponding client hello. Thus clients MUST abort the handshake if they receive an extension type in the extended server hello that they did not request in the associated (extended) client hello.
Section 4: Error Alerts [rfc-editor.org]
"unsupported_extension" - this alert is sent by clients that receive an extended server hello containing an extension that they did not put in the corresponding client hello (see Section 2.3). This message is always fatal.