Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 399 views
  • Users 0 members are here
Options
Suggested

SSL/TLS Inspection of AWS S3 Packets Intermittent Rejections

MakoRantz

We are having two issues which seem to be connected to AWS S3 connectivity. We have web based exhibits which pull content from S3 buckets. This works fine and consistently outside the corporate firewall. However going through the Sophos XG units result in some behaviour which we are unsure why? The apps will work fine for a while and there is no correlation to time etc. Sometimes it is straights away other times you can be going for 30 mins or longer. There is no number of hits or speed or anything we can put down to making a pattern. There are two different errors this is the easiest one to review first. In the logs the request which works normally other times and is the SAME request each time it is used ends with a error below:

2024-08-09 15:56:19SSL/TLS inspectionmessageid="19018" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity="Information" user="user@somewhere.com" src_ip="x.x.x.x" dst_ip="x.x.x.x" user_group="someuser" src_country="R1" dst_country="IRL" src_port="54378" dst_port="443" app_name="" category="Information Technology" con_id="2404271360" rule_id="3" profile_id="4" rule_name="VPN WAN- Decrypt - Cert Needed" profile_name="Standard Reject" bitmask="Valid" key_type="KEY_TYPE__RSA" key_param="RSA 2048 bits" fingerprint="9d:ea:18:26:21:70:a9:ef:1d:a9:f2:e2:aa:b8:71:81:d1:96:1c:db" resumed="1" cert_chain_served="TRUE" cipher_suite="TLS_AES_128_GCM_SHA256" sni="s3.eu-west-1.amazonaws.com" tls_version="TLS1.3" reason="TLS handshake fatal alert: decode error(50)." exception="" message=""

We then have other requests which fail within the browser but don't seem to have any negative errors within the FW logs. The browser errors can be along the lines of 

failed, reason: write EPROTO 24616:error:141713E7:SSL routines:tls_process_server_hello:invalid session id:c:\ws\deps\openssl\openssl\ssl\statem\statem_clnt.c:1502:


Yet again these errors only occur intermittently through the FW and work consistently fine without the FW.

Anyone come across these errors or had similar issues ? Anyone know what the error on the first FW message means ?

Thanks



Edited TAGs
[edited by: Raphael Alganes at 11:18 PM (GMT -7) on 12 Aug 2024]
  • 0

    In addition to the above we are also seeing inconsistencies in other traffic which is unrelated. One minute the cypher and URL are fine and passed the next they aren't.....

    2024-08-12 16:30:00 Do not decrypt 19004 4 Standard Reject x.x.x.x x.x.x.x Information Technology thisurl.execute-api.eu-west-2.amazonaws.com TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
2024-08-12 16:17:50 Do not decrypt 19004 4 Standard Reject x.x.x.x x.x.x.x Information Technology thisurl.execute-api.eu-west-2.amazonaws.com TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2024-08-12 16:15:36 Reject 19009 4 Standard Reject x.x.x.x x.x.x.x Information Technology thisurl.execute-api.eu-west-2.amazonaws.com TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Blocked due to undecryptable cipher suite or TLS protocol

Unfiltered HTML