SSL/TLS : ERR_CONNECTION_RESET Issue

Hi,

which firewall rule is blocking the traffic? There is also  possibility that the tecmint site is using other URLs which you have blocked.

Please post the bottom half of the firewall rule.

A suggestion, you could simply your rules by using LAN as the source zone.

Ian

Hi rfcat_vk ,

Thank you for your reply. The issue is related to my SSL/TLS policy ID 6 (MyExclusions). Please note that the firewall rules where these sites are whitelisted do not have web and app filtering enabled.

The URLs belong to Information Technology and online shopping categories, which are not blocked by my web filtering. I’m using a single web filtering policy for all my LAN to WAN traffic, as detailed below:

Web Policy (HomeWeb-Filter)

List of web categories: Advertisements, Anonymizers, Auctions & Classified Ads, Command & Control, Criminal Activity, Gambling, Hacking,

Marijuana, Nudity, Peer-to-peer & torrents, Personals & Dating, Phishing & Fraud, Pro-Suicide & Self-Harm, Sex Education, Sexually Explicit,

Spam URLs, Spyware & Malware

SSL/TLS Policy:

Firewall Rules (MyExclusionList)

I’ll keep your suggestion in mind. The reason I set up the LAN zoning was to easily identify each network within my home.

HI,

you can use DPI in one rule and web proxy in another but you need applications and IPS enabled. DPI does not support keyword filtering.

You enable the web proxy in your rule and limit the ports to http/s. With the web proxy you can block a lot of sites but not with DPI. 

Ian

Extra info: - there is a very good article by Michael Dunn in the KBAs if you do a search it might provide you with some guidance

Thanks for the suggestion. I really appreciate your response to my inquiry, and that will be the next topic as I continue my Sophos journey. One step at a time, as they say. I am eager to understand why some websites are getting a "connection reset" when DPI is enabled. I think there's something there that needs to be figured out. Also, in my opinion, the Web Proxy (Legacy) is not yet an option, as I’m not using it.

I hope someone from the Sophos support community can take a look or replicate my issue.

Hi,

I have tested the tecmint site and can connect to it without any issues, I use the web proxy.

Ian

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122357/sophos-firewall-life-of-a-packet

How about with DPI? 

I don't use DPI because the limitations of blocking sites.

Ian

I see, that’s why you didn’t encounter the issue I faced with DPI, where some sites throw a "connection reset" error. Did you try replicating this behavior in your own environment?

Also, I believe Sophos uses web filtering to block sites, maintaining a dedicated and regularly updated set of categories. My understanding of DPI (Deep Packet Inspection) is that it scans and decrypts traffic, blocking malicious payloads or malware when detected, but it is less focused on site blocking. Blocking becomes more comprehensive when the two approaches are combined. Both DPI and Web Proxy have their own advantages and disadvantages, depending on the user’s implementation and requirements. In my case, I prefer to use DPI.

Now I have the network to myself, I will setup a rule and try.

Ian

I tested without any issues.

I think I see your problem. You need to enable web using allow all.

Ian

It looks like you’re right. When I allowed all web filter rules, it worked. I’ll try to figure out what’s stopping it when the web filter is enabled. You may also be correct that they’re using a different link upon loading, or perhaps a 301 redirect is causing the connection reset (Server did not respond to client hello) in the Sophos SSL/TLS filter logs.

This is funny—it works for a while but then reverts to the same issue. I tested it on a separate network with IPS, Web, and App filters enabled, but with SSL/TLS scanning disabled, and it works. The issue only occurs when SSL/TLS (DPI) is enabled. I’ll run some additional tests to investigate further.

This is funny—it works for a while but then reverts to the same issue. I tested it on a separate network with IPS, Web, and App filters enabled, but with SSL/TLS scanning disabled, and it works. The issue only occurs when SSL/TLS (DPI) is enabled. I’ll run some additional tests to investigate further.

I have SSL/TLS enabled all the time. I have a number of exceptions but not tecmint.

Ian

Just to update this thread: it seems the issue was related to the MTU. Referencing this topic—  SSL Inspection Microsoft Stream: Server did not respond to client hello  —after adjusting the MTU, the issue was resolved, even with SSL/TLS enabled.