XGFW interferes with certain SSL website connections.

web browser: Chrome or Edge Dev or Firefox

target: https://www.ff14.co.kr/

result: ERR_CONNECTION_CLOSED

 


When I turn on the DPI engine, I can access the website. But when I turn the web filter off or on, I can't access it.

Packet dump and conntrack is assured for destination site.

SFVH_SO01_SFOS 18.0.0 EAP2# tcpdump -ni any net 183.111.190.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:54:52.763716 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [S], seq 3996659147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:52.764225 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [S], seq 3996659147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:52.767270 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10976: Flags [S.], seq 1255700950, ack 3996659148, win 8192, options [nop,nop,sackOK,nop,wscale 9], length 0
16:54:52.767512 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10976: Flags [S.], seq 1255700950, ack 3996659148, win 8192, options [nop,nop,sackOK,nop,wscale 9], length 0
16:54:52.780719 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [.], ack 1, win 1025, length 0
16:54:52.780939 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [.], ack 1, win 1025, length 0
16:54:52.781275 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [P.], seq 1:518, ack 1, win 1025, length 517
16:54:52.781377 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10976: Flags [.], ack 518, win 128, length 0
16:54:52.781990 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [.], seq 1:217, ack 1, win 256, length 216
16:54:52.782020 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [.], seq 217:433, ack 1, win 256, length 216
16:54:52.782040 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [P.], seq 433:518, ack 1, win 256, length 85
16:54:52.785490 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10976: Flags [F.], seq 1, ack 518, win 43007, length 0
16:54:52.785558 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [.], ack 2, win 256, length 0
16:54:52.785791 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10976: Flags [F.], seq 1, ack 518, win 128, length 0
16:54:52.786649 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [.], ack 2, win 1025, length 0
16:54:52.786810 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [F.], seq 518, ack 2, win 1025, length 0
16:54:52.786872 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10976: Flags [.], ack 519, win 128, length 0
16:54:52.786960 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [F.], seq 518, ack 2, win 256, length 0
16:54:52.787223 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [S], seq 2813204329, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:52.787529 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [S], seq 2813204329, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:52.789020 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10976: Flags [.], ack 518, win 43007, length 0
16:54:52.789911 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10976: Flags [.], ack 519, win 43007, length 0
16:54:52.790539 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [S.], seq 2922211172, ack 2813204330, win 8192, options [nop,nop,sackOK,nop,wscale 9], length 0
16:54:52.790837 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [S.], seq 2922211172, ack 2813204330, win 8192, options [nop,nop,sackOK,nop,wscale 9], length 0
16:54:52.795489 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [.], ack 1, win 1025, length 0
16:54:52.795688 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [.], ack 1, win 1025, length 0
16:54:52.795761 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [P.], seq 1:214, ack 1, win 1025, length 213
16:54:52.795900 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [.], ack 214, win 128, length 0
16:54:52.808413 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [P.], seq 1:214, ack 1, win 256, length 213
16:54:52.819986 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [.], ack 214, win 43008, length 0
16:54:52.831775 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [.], seq 1:1461, ack 214, win 43008, length 1460
16:54:52.831776 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [.], seq 1461:2921, ack 214, win 43008, length 1460
16:54:52.831777 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [P.], seq 2921:4075, ack 214, win 43008, length 1154
16:54:52.831955 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [P.], seq 1:67, ack 214, win 128, length 66
16:54:52.832388 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [.], ack 2921, win 256, length 0
16:54:52.832853 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [.], seq 67:1527, ack 214, win 128, length 1460
16:54:52.832942 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [.], seq 1527:2987, ack 214, win 128, length 1460
16:54:52.833019 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [P.], seq 2987:4075, ack 214, win 128, length 1088
16:54:52.833181 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [.], ack 2987, win 1025, length 0
16:54:52.833220 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [.], ack 4075, win 1025, length 0
16:54:52.833699 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [.], ack 2987, win 1025, length 0
16:54:52.833807 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [.], ack 4075, win 1025, length 0
16:54:52.874368 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [P.], seq 214:340, ack 4075, win 1025, length 126
16:54:52.874731 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [P.], seq 214:340, ack 4075, win 1025, length 126
16:54:52.877280 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [P.], seq 4075:4126, ack 340, win 43008, length 51
16:54:52.877492 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [P.], seq 4075:4126, ack 340, win 43008, length 51
16:54:52.877823 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [F.], seq 340, ack 4126, win 1025, length 0
16:54:52.877923 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [F.], seq 340, ack 4126, win 1025, length 0
16:54:52.880353 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [.], ack 341, win 43008, length 0
16:54:52.880463 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [.], ack 341, win 43008, length 0
16:54:52.880896 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [R.], seq 4126, ack 341, win 43008, length 0
16:54:52.881032 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [R.], seq 4126, ack 341, win 43008, length 0
^C
52 packets captured
68 packets received by filter
7 packets dropped by kernel
SFVH_SO01_SFOS 18.0.0 EAP2#

SFVH_SO01_SFOS 18.0.0 EAP2# conntrack -L -d 183.111.190.21
proto=tcp proto-no=6 timeout=7 state=CLOSE orig-src=192.168.144.200 orig-dst=183.111.190.21 orig-sport=11358 orig-dport=443 packets=6 bytes=591 reply-src=183.111.190.21 reply-dst=221.154.6.91 reply-sport=443 reply-dport=11358 packets=8 bytes=4453 [ASSURED] mark=0x4003 use=3 id=1342324224 masterid=0 devin=Port1 devout=Port4 nseid=3910 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=1 natid=4 fw_action=1 bwid=0 appid=100 appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x21 inzone=1 outzone=2 devinindex=5 devoutindex=8 hb_src=0 hb_dst=0 flags0=0x400a0080200000 flags1=0x1c100890000 flagvalues=21,31,41,43,54,80,83,87,96,102,103,104 catid=22 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:50:56:ba:0f:2a src_mac=88:d7:f6:41:c6:84 startstamp=1574582312 microflowid[0]=547 microflowrev[0]=34 microflowid[1]=256 microflowrev[1]=33 hostrev[0]=2 hostrev[1]=2 ipspid=0 diffserv=0 loindex=8 tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=1761 current_state[1]=1761 vlan_id=0 inmark=0x0 brinindex=0 sessionid=407 sessionidrev=33901 session_update_rev=7 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=3 pbrid_dir1=0 nhop_id[0]=11 nhop_id[1]=22 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
proto=tcp proto-no=6 timeout=7 state=TIME_WAIT orig-src=192.168.144.200 orig-dst=183.111.190.21 orig-sport=11357 orig-dport=443 packets=5 bytes=729 reply-src=183.111.190.21 reply-dst=221.154.6.91 reply-sport=443 reply-dport=11357 packets=4 bytes=168 [ASSURED] mark=0x4003 use=3 id=1342323904 masterid=0 devin=Port1 devout=Port4 nseid=4271 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=1 natid=4 fw_action=1 bwid=0 appid=100 appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x1 inzone=1 outzone=2 devinindex=5 devoutindex=8 hb_src=0 hb_dst=0 flags0=0x400a0080200000 flags1=0x1c000890000 flagvalues=21,31,41,43,54,80,83,87,102,103,104 catid=22 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:50:56:ba:0f:2a src_mac=88:d7:f6:41:c6:84 startstamp=1574582312 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=1 hostrev[1]=1 ipspid=0 diffserv=0 loindex=8 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=1761 current_state[1]=1761 vlan_id=0 inmark=0x0 brinindex=0 sessionid=409 sessionidrev=33933 session_update_rev=5 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=3 pbrid_dir1=0 nhop_id[0]=11 nhop_id[1]=22 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
conntrack v1.4.5 (conntrack-tools): 2 flow entries have been shown.

 
 
Parents
  • I would like to thank you for the super informative video. I got everything I needed from it.


    First attempt:
    You have a firewall rule that is LAN to WAN, ANY service. So port 80 and 443 traffic match it and the firewall lets it through.
    You start at the HTTP website. Everything is good. The firewall let you through.
    Then you click on an HTTPS hyperlink. The SSL/TLS inspection rules now take affect. You don't show them so now I have to guess.
    I think: Right now it is decrypting the TLS traffic. You get an error in the browser and in the game, related to the fact that is decrypting and your computer does not trust the CA.

    Second attempt:
    You change the configuration to set Web Policy to Allow All. Because you are using DPI mode, snort is still responsible for port 80 and 443 traffic. The SSL/TLS rules still apply.
    You attempt again, same result because again the TLS rule says to decrypt and your browser/game does not like it.

    Third attempt:
    You change the configuration to enable "use Web proxy instead of DPI". Now the traditional web proxy (awarrenhttp) is responsible for 80/443 traffic. It does not use the SSL/TLS inspection rules to determine what to decrypt, it uses the firewall rule "Decrypt HTTPS when running in web proxy".
    You attempt again, this time the web proxy does not decrypt your traffic (because your firewall rule tells it not to). Everything works.

    So to resolve, go to Rules and Policies, SSL/TLS Inspection Rules. If you don't want to do any SSL decryption then create a new rule that is LAN to WAN service Any "Do not decrypt".
    Or you should be able to resolve by installing the XG's Certificate Authority onto the box.

    The only odd thing is that the browser should have given you a warning about an untrusted certificate instead of ERR_CONNECTION_CLOSED. This just might be your local config or browser.

  • Thank you for your detailed feedback.

    Michael Dunn said:

    I think: Right now it is decrypting the TLS traffic. You get an error in the browser and in the game, related to the fact that is decrypting and your computer does not trust the CA.

    If the client accesses the ff14.co.kr SSL webpage, the response is normal. 

    Unfortunately, all computers under XGFW show the same phenomenon, and if they go out of XGFW's network, they communicate normally. There is no SSL decrypt configuration in the environment of the first attempt. Only NAT is configured.

    I have confirmed that the same phenomenon is reproduced in other XGFW EAP.

     

     
  • Can you post a screenshot of your SSL/TLS rules, and of the specific rule that turns off decryption for this traffic.

    Can you reproduce the problem and then tell me what is in log viewer, SSL/TLS inspection and in Web Filter log.

  • I tried accessing that page and ended up with a insecure site warning in Safari. I am using SSL/TLS DPI only.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Michael Dunn said:

    Can you post a screenshot of your SSL/TLS rules, and of the specific rule that turns off decryption for this traffic.

    Can you reproduce the problem and then tell me what is in log viewer, SSL/TLS inspection and in Web Filter log.

    Site 1

    Site 2

  • Even with decryption disabled, this site doesn't come up as "secure" in a modern browser, so I'm not very surprised the TLS inspection doesn't like it either and blocks the site. Whenever you open this page, look at the first error it throws:   Looks familiar!?

    Accessing this page is hit or miss for me, mostly just seeing errors:

     

    log_type="SSL"

    log_component="SSL"

    log_subtype="Error"

    rule_name="Exclusions by website or category"

    profile_name="Maximum compatibility"

    bitmask=""

    key_type="KEY_TYPE__UNKNOWN"

    sni="www.ff14.co.kr"

    tls_version="Unknown"

  • I tried to connect to a PC outside of XGFW, but this error does not reproduce in the console of my web browser. Do I need to activate something option? I'm not an expert in this area. Please give me a hint.

    On the other communication path except XGFW v18 well connected to the latest web browser, but are the cause of the problem is an incorrect TLS configuration of the ff14.co.kr website?

  • Interesting. I tested some more, and yes the page comes up clean if TLS decryption is completely disabled. So it does seem like the XG is somehow interfering and messing up the connection to this page. I tried all the other settings like TLS 1.3->TLS 1.2, compression etc. but none of them mattered. Only turning TLS inspection off entirely does the trick here. So I guess your only option to leave it off for now and investigate further with the Sophos Support guys on the forums here.

  • So many thanks.

    I will be wait for feedback from Sophos with a joyful heart. [H]

  • Michael Dunn said:

     
    Any feedback please.
     
  • Support Access ID: 03e39129-abb3-3dd6-bd41-7b4ebab17721@eu2.apu.sophos.com 

Reply Children
No Data