This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firefox (especially Gmail) cannot complete some requests: no responses are returned (zero bytes), assume that because of Endpoint Agent

It is almost impossible to use Gmail (mail.google.com) in Firefox. There are no problems in Chrome on the same machine.

In the browser developer console / Network tab I see some requests are without responses (zero bytes responses). Some with SSL_ERROR_BAD_MAC_ALERT

GMail app constantly shows yellow warning: "Ups... the system encountered a problem. Retrying in ..." .  "Retry now" link doesn't help.

Similar errors discussed recently: https://community.sophos.com/sophos-central/f/discussions/133650/ssl_error_bad_mac_alert-pr_end_of_file_error



This thread was automatically locked due to age.
Parents
  • Restarting the browser helps. But problem could re-appear just in 5 minutes!

  • Is this Windows?

    I assume this behaviour has to be related to web protection and control, is that the case? 

    If it's Windows, do you have a process called SophosNetFilter.exe?  If so, you are using "modern web" and the new endpoint architecture which is capable of HTTP decryption.

    The question then is, do you have HTTP decryption enabled?  At the client you can check in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection

    https_decrypt_enabled = 1 or 0

    To rule out Web Protection and Control, you can disable web protection and control by disabling in the Threat Protection policy:

    and if you have Web Control enabled in the Web Control policy you can disable that. Once the policy arrives at the client, the SophosNetFilter.exe process will terminate.

  • I see process SophosNetFilter.exe.

    In the c:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.log I see lots of HTTPS URLs. This means Sophos decrypt secure connections from browser...

    https_decrypt_enabled is 1.

    I see 2 other options that might correspond to mentioned UI elements: web_filtering_enabled & web_scanning_enabled

    I'm not sure if my admin will be happy with disabling: from the documentation it is about restricting access to Leisure/Social sites.

    Neither me nor admin can confirm that Sophos is culprit of broken GMail: we cannot find traces that exactly Sophos blocks access to some Google's URLs...

    Google Translate is in the list of forbidden sites, probably there are some policies that effects some Google's offerings. Documentation refers to so called "web site categories" - some category could damage Corporate GMail offer.

    If Chrome works fine that means Sophos agent trusts that browser and doesn't interfere with it operation... It is pity that only Firefox suffers...

  • As a test, I would ask the Sophos admin to create a new Threat Protection policy and link it to either your computer or user.  In that policy disable decryption:

    https_decrypt_enabled will get set to 0.  Do you see the same issue?  At least you'll know this feature is of interest.

    It is worth mentioning that in the global settings, the default is:

    I.e. Web-based email category websites aren't decrypted by default but it could be a resource from a domain that isn't classified as such?

    In any case, ruling decryption in/out as the issue is probably the first test.

  • Thx! We will try it in a meantime.

    Just now I found Sophos certificate in the Firefox developer console / Network Tab. It is on some failed requests but not all: majority requests has Google's certificates. So Sophos intercept only part of requests. That could explain why the problem is volatile, not permanent.

  • If you do find that disabling decryption helps, you could always try re-enabling it then add the domains you see in the network view with issues to the exemptions from decryption in the global settings to see if that helps.

  • I must say, I cannot reproduce this problem. I'm using FF v99.0.1 (64-bit) on Win 11. I've tried with and without the "SSL/TLS decryption of HTTPS websites" option. I uncheck the "Web-based E-mail" option to exempt inspection.

    I've been clicking around Google Mail for 30 mins without issue.

  • I did find one way to "break" Firefox with Web Protection / Control enabled with inspection turned on as detailed in the scenario I mention here:

    (+) Mozilla Firefox Trouble with Google Gmail web based access - Feedback & Issues - Endpoint EAP - Sophos Community

    If revolved around the SophosNetFilter.exe process restarting.  I.e. it's working fine, the SophosNetFilter.exe restarts as I mention then the next request fails.

Reply Children