Issues connecting to *.sophosupd.com "Server did not respond to client hello"

Our intercept X clients sometimes cannot connect to Sophos Servers sophosupd.com. XG Firewall shows, the server is not responding "Server did not respond to client hello"

Servers:
d1.sophosupd.com
d2.sophosupd.com
dci.sophosupd.com

This is only happening where the Sophos Server is using TLS1.3, when the servers use TLS1.2 it's working.

Any hot tip on this?

Where it works: TLS1.2

SSL/TLS inspection
2021-07-03 09:23:39
messageid="19004" log_type="SSL" log_component="SSL" log_subtype="Do not decrypt" severity="Information" user="" src_ip="xxxxxxx00" dst_ip="184.30.25.172" user_group="" src_country="R1" dst_country="DEU" src_port="49955" dst_port="443" app_name="" app_id="0" category="Software Updates" category_id="68" con_id="1409813312" rule_id="0" profile_id="1" rule_name="System exclusions" profile_name="Maximum compatibility" bitmask="Valid" key_type="KEY_TYPE__RSA" key_param="RSA 2048 bits" fingerprint="57:53:a4:dd:20:2f:fc:86:55:b9:20:37:45:39:d3:83:41:5f:a0:58" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" sni="d1.sophosupd.com" tls_version="TLS1.2" reason="" exception="" message=""
SSL/TLS inspection
2021-07-03 09:22:45
messageid="19004" log_type="SSL" log_component="SSL" log_subtype="Do not decrypt" severity="Information" user="" src_ip="xxxxxx28" dst_ip="184.30.25.172" user_group="" src_country="R1" dst_country="DEU" src_port="50277" dst_port="443" app_name="" app_id="0" category="Software Updates" category_id="68" con_id="1399071040" rule_id="0" profile_id="1" rule_name="System exclusions" profile_name="Maximum compatibility" bitmask="Valid" key_type="KEY_TYPE__RSA" key_param="RSA 2048 bits" fingerprint="57:53:a4:dd:20:2f:fc:86:55:b9:20:37:45:39:d3:83:41:5f:a0:58" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" sni="d1.sophosupd.com" tls_version="TLS1.2" reason="" exception="" message=""

Where it does not work: TLS1.3

SSL/TLS inspection
2021-07-03 09:26:00
messageid="19017" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="" src_ip="xxxxxx23" dst_ip="184.30.25.172" user_group="" src_country="R1" dst_country="DEU" src_port="51224" dst_port="443" app_name="" app_id="0" category="Software Updates" category_id="68" con_id="1400079296" rule_id="0" profile_id="1" rule_name="System exclusions" profile_name="Maximum compatibility" bitmask="" key_type="KEY_TYPE__UNKNOWN" key_param="Unknown" fingerprint="" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_AES_256_GCM_SHA384" sni="d1.sophosupd.com" tls_version="TLS1.3" reason="Server did not respond to client hello" exception="" message=""
SSL/TLS inspection
2021-07-03 09:24:56
messageid="19017" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="" src_ip="xxxxx23" dst_ip="184.30.25.172" user_group="" src_country="R1" dst_country="DEU" src_port="51216" dst_port="443" app_name="" app_id="0" category="Software Updates" category_id="68" con_id="2623893888" rule_id="0" profile_id="1" rule_name="System exclusions" profile_name="Maximum compatibility" bitmask="" key_type="KEY_TYPE__UNKNOWN" key_param="Unknown" fingerprint="" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_AES_256_GCM_SHA384" sni="d1.sophosupd.com" tls_version="TLS1.3" reason="Server did not respond to client hello" exception="" message=""

Time	Log subtype	Dst IP	Server name	Cipher suite	Reason
03.07.2021 09:26	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:24	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:20	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:18	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:17	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:16	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:16	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:13	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:11	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:03	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:01	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:45	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:28	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:26	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:25	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:20	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:18	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:15	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:10	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:45	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:28	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:26	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:25	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:20	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:18	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:15	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:10	Error	184.30.25.172	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 06:45	Error	2.18.161.158	d1.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:18	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:17	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:16	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:16	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:13	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:11	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:03	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:01	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:45	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:28	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:26	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:25	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:20	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:18	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:15	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:10	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:45	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:28	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:26	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:25	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:20	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:18	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:15	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:10	Error	184.30.25.172	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 06:45	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 06:28	Error	2.18.161.158	d2.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:26	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:24	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:20	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:18	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:17	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:16	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:16	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:13	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:11	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:10	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:03	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 09:01	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:45	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:28	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:26	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:25	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:20	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:18	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:15	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 08:10	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:45	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:28	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:26	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:25	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:20	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:18	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:15	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 07:10	Error	184.30.25.172	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 
03.07.2021 06:45	Error	2.18.161.158	dci.sophosupd.com	TLS_AES_256_GCM_SHA384	Server did not respond to client hello 

Parents
  • I also see this. I have only two endpoints at this point and both of them get this error while connecting to one of the *.sophosupd.com servers. If I go to the machines and open Sophos Endpoint, it reports regular it is up to date and shows regular update/status messages that all look good.

    So I assume it's a transient error that sometimes occurs, but I was just about to post something about this myself. It's a little disturbing when an endpoint is apparently trying to update and can't. (Though, again, the endpoint itself doesn't report any issues and appears up to date, so...)

  • I want to push this once more.

    on our XG Firewall 18.0 MR5 in SSL DPI Logs I can still see this TLS 1.3 issues.

    But only from our Ubuntu Servers with Intercept-X installed and connecting only to those Sophos Update servers:

    d1.sophosupd.com
    d2.sophosupd.com

    Found this for following OS:

    Ubuntu 18.04.5 LTS
    Ubuntu 20.04.3 LTS
    Installed Versions:
    Sophos Linux AntiVirus 1.0.3.13
    Sophos Linux Base Component 1.1.7.7
    Sophos Linux Live Response 1.2.2.12
    Sophos Live Discover Plugin 1.1.2.20

    Any suggestion how to fix it?

    Why are the Linux Clients acting differently using TLS 1.3 and fail while windows Servers and Clients use 1.2 and don't fail? It looks like the server is actually serving on TLS 1.3.

    The Domain is in the Sophos-managed Exclusion list:

Reply
  • I want to push this once more.

    on our XG Firewall 18.0 MR5 in SSL DPI Logs I can still see this TLS 1.3 issues.

    But only from our Ubuntu Servers with Intercept-X installed and connecting only to those Sophos Update servers:

    d1.sophosupd.com
    d2.sophosupd.com

    Found this for following OS:

    Ubuntu 18.04.5 LTS
    Ubuntu 20.04.3 LTS
    Installed Versions:
    Sophos Linux AntiVirus 1.0.3.13
    Sophos Linux Base Component 1.1.7.7
    Sophos Linux Live Response 1.2.2.12
    Sophos Live Discover Plugin 1.1.2.20

    Any suggestion how to fix it?

    Why are the Linux Clients acting differently using TLS 1.3 and fail while windows Servers and Clients use 1.2 and don't fail? It looks like the server is actually serving on TLS 1.3.

    The Domain is in the Sophos-managed Exclusion list:

Children
No Data