BUG - SSL/TLS Inspection seems to break Honeywell smart devices

I've noticed this behavior with both EAP 2 and now EAP 3. When SSL/TLS inspection is enabled Honeywell smart thermostats cannot connect to the internet. The only way they can connect is buy going the SSL/TLS inspection rules, SSL/TLS Inspection settings, advanced settings, and completely disabling the inspection (disable only when troubleshooting).

None of the default SSL/TLS inspection rules are configured to decrypt data.

Logs noticed in the webfilter when the issue is occurring is below.

2019-12-18 17:51:19Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="10" user="" user_group="" web_policy_id="13" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="x.x.x.x-internal IP" dst_ip="199.62.84.152" protocol="TCP" src_port="57393" dst_port="443" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="HTTP parsing error encountered." user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="0" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

  • In reply to MichaelBolton:

    Thanks.  So even though they are controlled by different variables (snort is "more correct" than the proxy) the results are the same.

    There is something against spec in the traffic from the IoT devices which both proxy and DPI do not like.  Since this is not a regression issue, it is currently low priority for investigation - especially as the investigation will most likely just confirm that they are non-spec in a way we don't want to allow.  There is a workaround - setting the global flag.

     

    The issue of traffic going to DPI when it should be going to proxy has been reproduced and sent to the firewall team, who is responsible for that decision.

  • In reply to Michael Dunn:

    Thanks for the info and the help. Let me know if you guys want packet captures or any other info to help when it comes time to look into it further.

  • 1) There is a known issue with "Use proxy instead of DPI mode" not being respected when Web Filter=None. This is being worked on for GA.

    2) There is a known issue with handling and logging of unscannable traffic. This is also being looked at, post-GA

    The traffic is on port 443 and matches a Firewall Rule for DPI mode and matches an TLS Rule Do Not decrypt rule.
    The sslx system does not recognize it as an TLS handshake, or there is something invalid about it.
    The sslx system, not being able to handle it, passes it to the HTTP parser hoping it can.
    The HTTP parser does not recognize it as plaintext HTTP and logs an error "HTTP parsing error encountered"

    Therefore it might appear to an administrator that the "Do not decrypt" was ignored, that it was decrypted and had trouble with the data after. In fact, what occurs is that neither the SSL system nor the HTTP system could parse the packets.

    Therefore some/most "HTTP parsing error encountered" in the log is actually a failure in handling the SSL handshake.

    In v18.0 EAP3 and most likely in v18 GA if you are in this scenario:
    proxy mode - In Web > General Settings > turn Block Unrecognized SSL Protocols off.
    DPI mode - In the command line (not ssh) use 'set http relay_invalid_http traffic on'

    This may change post-GA.