Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Inspection Microsoft Stream: Server did not respond to client hello

Hello Community,

I have a problem with Microsoft Stream if SSL Inspection in enabled. Some streams won't start. If I look into the SSL Log, I see the error message "Server did not respond to client hello" for host streameuwe1su051.azureedge.net. I build exceptions and firewall rules for streameuwe1su051.azureedge.net but nothing helps except complete disable the SSL inspection under "Advanced Settings". If SSL Inspection is disabled, the stream starts. with enabled SSL Inspection I get this error message:

messageid="19017" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="" src_ip="192.168.183.12" dst_ip="152.199.19.161" user_group="" src_country="R1" dst_country="USA" src_port="62351" dst_port="443" app_name="" app_id="0" category="Information Technology" category_id="29" con_id="2531167360" rule_id="1" profile_id="1" rule_name="Exclusions by website or category" profile_name="Maximum compatibility" bitmask="" key_type="KEY_TYPE__UNKNOWN" key_param="Unknown" fingerprint="" resumed="0" cert_chain_served="TRUE" cipher_suite="" sni="streameuwe1su051.azureedge.net" tls_version="Unknown" reason="Server did not respond to client hello" exception="av,https,validation,policy,zero-day protection" message=""

This problem I had with 18.0.5 and 18.5.1 Firmware. Has anybody a hint for me?

Thanks,

Ben



This thread was automatically locked due to age.
Parents
  • Check the tcpdump and verify, the server actually answer to any of those packets. There is little change of a packet caused by the DPI, if not decrypted. Hence if the DPI is enabled but no decryption, it should get a answer from the server. 

    __________________________________________________________________________________________________________________

  • Hi,

    I can see communication between the Client and the Server but there is an gap about 10 seconds (09:50:27 to 09:50:37) where the Client is not responding. At least the server sends "ICMP ip reassembly time exceeded" message.

     Ben  

    09:50:27.259896 PortE0, IN: IP 192.168.183.12.64934 > 152.199.19.161.https: Flags [SEW], seq 3100857055, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:50:27.269902 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.64934: Flags [S.], seq 2732898407, ack 3100857056, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 09:50:27.270090 PortE0, IN: IP 192.168.183.12.64934 > 152.199.19.161.https: Flags [.], ack 1, win 1026, length 0 09:50:27.270582 PortE0, IN: IP 192.168.183.12.64934 > 152.199.19.161.https: Flags [.], seq 1:1461, ack 1, win 1026, length 1460 09:50:27.270583 PortE0, IN: IP 192.168.183.12.64934 > 152.199.19.161.https: Flags [P.], seq 1461:1509, ack 1, win 1026, length 48 09:50:27.270695 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.64934: Flags [.], ack 1461, win 128, length 0 09:50:27.270817 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.64934: Flags [.], ack 1509, win 128, length 0 09:50:37.260921 PortE0, IN: IP 192.168.183.12.53444 > 152.199.19.161.https: Flags [SEW], seq 1665795671, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:50:37.270810 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.53444: Flags [S.], seq 2453962121, ack 1665795672, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 09:50:37.271048 PortE0, IN: IP 192.168.183.12.53444 > 152.199.19.161.https: Flags [.], ack 1, win 1026, length 0 09:50:37.271495 PortE0, IN: IP 192.168.183.12.53444 > 152.199.19.161.https: Flags [.], seq 1:1461, ack 1, win 1026, length 1460 09:50:37.271495 PortE0, IN: IP 192.168.183.12.53444 > 152.199.19.161.https: Flags [P.], seq 1461:1509, ack 1, win 1026, length 48 09:50:37.271607 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.53444: Flags [.], ack 1461, win 128, length 0 09:50:37.271741 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.53444: Flags [.], ack 1509, win 128, length 0 09:50:47.261467 PortE0, IN: IP 192.168.183.12.51363 > 152.199.19.161.https: Flags [SEW], seq 3920473857, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:50:47.271664 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.51363: Flags [S.], seq 3771257877, ack 3920473858, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 09:50:47.271903 PortE0, IN: IP 192.168.183.12.51363 > 152.199.19.161.https: Flags [.], ack 1, win 1026, length 0 09:50:47.272370 PortE0, IN: IP 192.168.183.12.51363 > 152.199.19.161.https: Flags [.], seq 1:1461, ack 1, win 1026, length 1460 09:50:47.272370 PortE0, IN: IP 192.168.183.12.51363 > 152.199.19.161.https: Flags [P.], seq 1461:1509, ack 1, win 1026, length 48 09:50:47.272593 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.51363: Flags [.], ack 1461, win 128, length 0 09:50:47.272807 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.51363: Flags [.], ack 1509, win 128, length 0 09:50:57.262221 PortE0, IN: IP 192.168.183.12.57339 > 152.199.19.161.https: Flags [SEW], seq 890089265, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:50:57.270795 PortE0, IN: IP 192.168.183.12.64934 > 152.199.19.161.https: Flags [F.], seq 1509, ack 1, win 1026, length 0 09:50:57.270903 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.64934: Flags [.], ack 1510, win 128, length 0 09:50:57.272190 PortE0, IN: IP 192.168.183.12.54283 > 152.199.19.161.https: Flags [SEW], seq 4069354955, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:50:57.272344 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.57339: Flags [S.], seq 1213195411, ack 890089266, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 09:50:57.272503 PortE0, IN: IP 192.168.183.12.57339 > 152.199.19.161.https: Flags [.], ack 1, win 1026, length 0 09:50:57.273041 PortE0, IN: IP 192.168.183.12.57339 > 152.199.19.161.https: Flags [.], seq 1:1461, ack 1, win 1026, length 1460 09:50:57.273041 PortE0, IN: IP 192.168.183.12.57339 > 152.199.19.161.https: Flags [P.], seq 1461:1509, ack 1, win 1026, length 48 09:50:57.273187 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.57339: Flags [.], ack 1461, win 128, length 0 09:50:57.273309 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.57339: Flags [.], ack 1509, win 128, length 0 09:50:57.282585 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.54283: Flags [S.], seq 3678135614, ack 4069354956, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 09:50:57.282802 PortE0, IN: IP 192.168.183.12.54283 > 152.199.19.161.https: Flags [.], ack 1, win 1026, length 0 09:50:57.283308 PortE0, IN: IP 192.168.183.12.54283 > 152.199.19.161.https: Flags [.], seq 1:1461, ack 1, win 1026, length 1460 09:50:57.283308 PortE0, IN: IP 192.168.183.12.54283 > 152.199.19.161.https: Flags [P.], seq 1461:1509, ack 1, win 1026, length 48 09:50:57.283409 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.54283: Flags [.], ack 1461, win 128, length 0 09:50:57.283519 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.54283: Flags [.], ack 1509, win 128, length 0 09:50:58.599814 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:02.696156 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:07.271500 PortE0, IN: IP 192.168.183.12.53444 > 152.199.19.161.https: Flags [F.], seq 1509, ack 1, win 1026, length 0 09:51:07.271589 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.53444: Flags [.], ack 1510, win 128, length 0 09:51:07.273726 PortE0, IN: IP 192.168.183.12.63202 > 152.199.19.161.https: Flags [SEW], seq 2156888641, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:51:07.283640 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.63202: Flags [S.], seq 339499660, ack 2156888642, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 09:51:07.283877 PortE0, IN: IP 192.168.183.12.63202 > 152.199.19.161.https: Flags [.], ack 1, win 1026, length 0 09:51:07.284661 PortE0, IN: IP 192.168.183.12.63202 > 152.199.19.161.https: Flags [.], seq 1:1461, ack 1, win 1026, length 1460 09:51:07.284662 PortE0, IN: IP 192.168.183.12.63202 > 152.199.19.161.https: Flags [P.], seq 1461:1509, ack 1, win 1026, length 48 09:51:07.284792 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.63202: Flags [.], ack 1461, win 128, length 0 09:51:07.284924 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.63202: Flags [.], ack 1509, win 128, length 0 09:51:08.840638 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:08.840681 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:10.888073 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:17.273133 PortE0, IN: IP 192.168.183.12.51363 > 152.199.19.161.https: Flags [F.], seq 1509, ack 1, win 1026, length 0 09:51:17.273275 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.51363: Flags [.], ack 1510, win 128, length 0 09:51:19.079821 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:19.080233 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:21.127692 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:23.176168 PortE0, OUT: IP 152.199.19.161 > 192.168.183.12: ICMP ip reassembly time exceeded, length 556 09:51:27.274763 PortE0, IN: IP 192.168.183.12.57339 > 152.199.19.161.https: Flags [F.], seq 1509, ack 1, win 1026, length 0 09:51:27.274922 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.57339: Flags [.], ack 1510, win 128, length 0 09:51:27.283748 PortE0, IN: IP 192.168.183.12.54283 > 152.199.19.161.https: Flags [F.], seq 1509, ack 1, win 1026, length 0 09:51:27.283813 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.54283: Flags [.], ack 1510, win 128, length 0 09:51:28.628055 PortE0, OUT: IP 152.199.19.161.https > 192.168.183.12.64934: Flags [F.], seq 1, ack 1510, win 128, length 0 09:51:28.628262 PortE0, IN: IP 192.168.183.12.64934 > 152.199.19.161.https: Flags [.], ack 2, win 1026, length 0

    If a post solves your question please use the 'Verify Answer' button.



    Formatting
    [edited by: Ben@Network at 8:02 AM (GMT -7) on 16 Aug 2021]
  • Dump it into a pcap and check via wireshark. 

    __________________________________________________________________________________________________________________

  • In Wireshark I that the TCP Connection is established. Next, I see a TLS "Client Hello" Packet which is acknowledged by the server (seq 1461). The next packet from server is an acknowledged for seq 1509 but I didn't find any packed with seq 1509. 30 seconds later the Client ends the seq 1509 which is confirmed by the Server. After that I see some packets from the Server with the message "Fragment reassembly time exceeded".

    If you want, I can send you the Dunps as PM.



    If a post solves your question please use the 'Verify Answer' button.

  • What kind of ISP do you use? 

    __________________________________________________________________________________________________________________

  • It is a Fiber Line from German Telekom. 

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Ben,

    Wild guess: could this be a MTU problem?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Philipp,

    that was also my idea after LuCar asked about the ISP. I have determined a max. MTU of 1464 via a client. After I set this on the WAN interface of the firewall, the stream runs even with SSL inspection enabled.

    Thanks,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello Philipp,

    that was also my idea after LuCar asked about the ISP. I have determined a max. MTU of 1464 via a client. After I set this on the WAN interface of the firewall, the stream runs even with SSL inspection enabled.

    Thanks,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

Children
  • I am currently investigating a interesting edge case, which could can cause this issue with DPI engine. Since V18.0 EAP, the DPI engine removes the DF (Dont Fragment) Flag from the TLS Hello. Now this should not cause issues, but if the packet is to big, it could get lost in transmission. Maybe this could be fixed in the future, if this actually causes an issue and the DF Flag removal will be reverted. 

    __________________________________________________________________________________________________________________

  • I looks like my problem, the Client Hello Packet is 1508 bytes large and it is reassambled in 2 Segments, Frame 1 1460 bytes and Frame 2 48 bytes. 

    If a post solves your question please use the 'Verify Answer' button.