TLS/SSL Inspection rule - few website are not opening like Linkedin, Vmware without SSL/TLS exception - Internet browsing is very low in my case

I decided to open a proper thread, as the other was complaining about the documentation that will arrive.

After some days of investigation, I decided to put in linkedin.com in the SSL/TLS Local Exception URL group but some packets are still blocked:

Another question?

Where is the action of the log gone? I mean "blocked, allowed in the small box log appearing?

I am not able to find action. Looking for red locks only does not help

I am using MacOS Catalina with Firefox 69.0.3. Without exception, on Safari, Linkedin opens but vmware link does not. The vmware link I am trying to open is this:

https://www.vmware.com/info/?id=1153

Switching back to web proxy, vmware opens and Linkedin is faster to open. Opening even Sophos community website with DPI is slower.

I am available for logs or ssh connection to Sophos devs.

Regards

  • Hi  

    The linkedin connection you highlighted is not going to the main linkedin.com domain but to their CDN domain - licdn.com. Did you add that to the exclusions too?

    The issue with the missing 'Action' column is a known issue and should be addressed in the next update we put out.

    We will be in touch to investigate the issue with Firefox on Mac further in the next couple of days. The engineers for the SSL/TLS features and the DPI web filtering are based here in Vancouver, and this weekend Canada has its Thanksgiving holiday.

    Could you check one thing in the meantime - can you try looking at ips.log when you try to connect to LinkedIn without the exception in place.

    # tail -f /log/ips.log

    Do you see messages appear that say something like "Cannot parse pipelined request" as you are attempting to load these pages?

  •  

    I did not add the exception in the TLS exception list.

    Here the IPS.log output, while I am surfing linkedin and the vmware website I posted:

    SFVH_SO01_SFOS 18.0.0 EAP1# tail -f /log/ips.log

    [Oct 14 10:23:37 :445]:daq_multi_start:Starting up daq LWP
    [Oct 14 10:23:38 :32517]:load module: '/sbin/modprobe nf_conntrack_ipslb q_start=0 q_end=3    ' done
    [Oct 14 10:23:38 :32517]:IPS now running
    [Oct 14 10:23:38 :32517]:readfd cdata.cpipe[1] for pid 446 set
    [Oct 14 10:23:38 :32517]:readfd cdata.cpipe[1] for pid 447 set
    [Oct 14 10:23:38 :32517]:readfd cdata.cpipe[1] for pid 445 set
    1571047659.788199875 [  446/0x0] [nsg.c:1524:parser_context_error_cb] Http parser error (PARSE_INVALID). Will relay connection!
    1571055627.539143331 [  444/0xe9ab000001c2] [nsg_nse_policy.c:1895:nsg_nse_policy_process_queue_event] Firing event on ssl fsm returned error.
    1571055627.542795554 [  446/0x4b24000001b3] [nsg_nse_policy.c:1895:nsg_nse_policy_process_queue_event] Firing event on ssl fsm returned error.
    1571055716.632715084 [  446/0x0] [nsg.c:976:parser_context_req_begin_cb] Cannot parse pipelined request.
    1571055716.694367283 [  447/0x0] [nsg.c:976:parser_context_req_begin_cb] Cannot parse pipelined request.
    mnl_cb_run: No such file or directory
    UST sessiontbl_get_tuple API returned -1[Oct 14 14:22:19 :445]:nfq_daq_inject:Unable to get the tuple info from the kernel conntrack
    [Oct 14 14:22:19 :445]:nfq_daq_pkt_inject:Failed to send packet on session 382, revision 64207, dir 1
    [Oct 14 14:22:19 :445]:nse_msg_transmit:Failed to send verdict through Child DAQs
    mnl_cb_run: No such file or directory
    UST sessiontbl_get_tuple API returned -1[Oct 14 14:22:32 :445]:nfq_daq_inject:Unable to get the tuple info from the kernel conntrack
    [Oct 14 14:22:32 :445]:nfq_daq_pkt_inject:Failed to send packet on session 382, revision 64207, dir 1
    [Oct 14 14:22:32 :445]:nse_msg_transmit:Failed to send verdict through Child DAQs
    1571055765.015384759 [  446/0x6490000002ac] [nsg_nse_policy.c:1895:nsg_nse_policy_process_queue_event] Firing event on ssl fsm returned error.
    1571055768.937271972 [  447/0x0] [nsg.c:976:parser_context_req_begin_cb] Cannot parse pipelined request.
    1571055769.099667910 [  445/0x0] [nsg.c:976:parser_context_req_begin_cb] Cannot parse pipelined request.
    1571055769.440895305 [  447/0x6490000002a1] [nsg_nse_policy.c:1895:nsg_nse_policy_process_queue_event] Firing event on ssl fsm returned error.
    1571055777.002048725 [  444/0x0] [nsg.c:1524:parser_context_error_cb] Http parser error (PARSE_INVALID). Will relay connection!
    1571055777.018726894 [  447/0x707c0000011a] [nsg_tcphold.c:279:process_event] Could not find session for key and unique_id.
    mnl_cb_run: No such file or directory
    UST sessiontbl_get_tuple API returned -1[Oct 14 14:22:57 :445]:nfq_daq_inject:Unable to get the tuple info from the kernel conntrack
    [Oct 14 14:22:57 :445]:nfq_daq_pkt_inject:Failed to send packet on session 382, revision 64207, dir 1
    [Oct 14 14:22:57 :445]:nse_msg_transmit:Failed to send verdict through Child DAQs

    "The engineers for the SSL/TLS features and the DPI web filtering are based here in Vancouver, and this weekend Canada has its Thanksgiving holiday." Holidays are holidays, do not touch them!"

    [:P]

    Regards