SSL/TLS : ERR_CONNECTION_RESET Issue

Question

Hi Support, 
 I hope someone can assist me. I've recently encountered an issue where some websites fail to load, displaying the error "ERR_CONNECTION_RESET." 
 
 Upon reviewing the log viewer, the issue is tagged under SSL/TLS Inspection with the following details: ACTION: Error Reason: Server did not respond to client hello 
 
 I have tried exempting these sites in the Firewall Rules and SSL/TLS settings, but the error "ERR_CONNECTION_RESET" persists. 
 Firewall Rules: 
 
 SSL/TLS: 
 
 Below are the affected sites: 
 
 https ://www .techchore .com/ 
 https ://hostman .com/ 
 https ://www .tecmint .com/

I'm using Sophos Home Firewall running SFOS 21.0.0 GA-Build169 
 
 Looking forward to your guidance.

Michael Dunn · Accepted Answer

DPI vs Web Proxy (legacy) - 99% of the feature set is the same - both support transparent mode - only web proxy supports direct proxy mode - both detect malware (if enabled in firewall rule) - both block websites, etc - both can decrypt https although the configuration is different - proxy has specific features that DPI does not such as SafeSearch. For some customers that makes proxy a requirement. - DPI has specific features that proxy does not - Application Control is configured and implemented separately. Both support App control equally. 
 Back when DPI was introduced (v18) it was new and had some problems with specific websites. It got a reputation for not being as good as the legacy proxy. However I think that reputation is undeserved in the last few years. DPI mode is more sensitive to network configuration, topology, MTU, etc. 
 I encourage you to use DPI mode. That being said, switching to proxy mode may be an interesting test to help narrow down the problem. 
 --- 
 Destination networks that are FQDN hosts are poor performance. This is absolutely true in TLS rules but I believe in firewall rules as well. This is because it needs to look up the FQDN to see what IPs are associated and it needs to do that every connection because the IPs can change any time. 
 For TLS rules, look at support.sophos.com/.../KBA-000008111 For Firewall rules, if you purpose is to create a whitelist that does not apply policy, either do it in the web policy, or use a web exception. You may want to look at support.sophos.com/.../KBA-000004901 
 To think about it a different way, think of the layers of networking. The best place to make decisions about decryption is the layer where we see SNI, not IP addresses. The best place to make decisions about web policy is where we see HTTP/S requests, not IP addresses. 
 This is not likely related to your problem, I just want to set you on the right path. 
 --- 
 The problem might be in kyber support, try disabling in the browser. This increased the TLS handshake to that it is larger than a single packet, which DPI mode has problems with. support.sophos.com/.../KBA-000009276

rfcat_vk · Answer

Hi, 
 I was suggesting using LAN zone because you have already identified your networks in the network field. I was suggesting the change to make rule modification and management easier. All your categories are LAN zone. 
 The web proxy can detect malware though you will need to reduce the port range to http/s 
 Also to detect malware you will need to change applications to allow all and add LAN to WAN in IPS regardless of DPI or web proxy. 
 Web proxy allows you to use google safe browsing etc which is not currently supported in DPI. 
 Ian

rfcat_vk · Answer

HI, 
 you can use DPI in one rule and web proxy in another but you need applications and IPS enabled. DPI does not support keyword filtering. 
 You enable the web proxy in your rule and limit the ports to http/s. With the web proxy you can block a lot of sites but not with DPI. 
 Ian 
 
 Extra info: - there is a very good article by Michael Dunn in the KBAs if you do a search it might provide you with some guidance

Michael Dunn · Answer

Not saying you made it up, I don't recall where it originally came from - I am just saying it is incorrect. Both proxy and DPI have the same support for HTTP and HTTPS over UDP (eg QUIC). Neither supports. There is no UDP reason to select "Use proxy" in a firewall rule. There are other reasons that are valid, just not UDP.

SSL/TLS : ERR_CONNECTION_RESET Issue

Top Replies