Symptom
some decryption policy and access policy rules (e.g. URLs or Applications) require server certificate info in cache for better rule evaluation and if server certificate info is not in cache, ssl traffic e.g. tls13 or tls12 connections will not decrypt until server certificate is cached
Conditions
FTDv/FMCv with Geneve tunnel interface in AWS GWLB configuration
e.g. Access Control or Decryption Policies with URLs or Applications rule + TLS Server Identity Discovery enabled where server certificate is not in cache
tls13 decryption is not enabled by default in versions prior to 7.3 (e.g. 7.2.4). TLS Probe will still timeout if probe is needed and if TLS Server Identity Discovery feature is enabled.
Workaround
Policies - Access Control - Advanced Settings - TLS Server Identity Discovery under => Disable
Further Problem Description
If TLS Server Identity Discovery feature is enabled, TLS Probe will timeout and PROBE_FLOW_DROP_BYPASS_PROXY counter will increment under show counters
