XGFW interferes with certain SSL website connections.

web browser: Chrome or Edge Dev or Firefox

target: https://www.ff14.co.kr/

result: ERR_CONNECTION_CLOSED

 


When I turn on the DPI engine, I can access the website. But when I turn the web filter off or on, I can't access it.

Packet dump and conntrack is assured for destination site.

SFVH_SO01_SFOS 18.0.0 EAP2# tcpdump -ni any net 183.111.190.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:54:52.763716 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [S], seq 3996659147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:52.764225 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [S], seq 3996659147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:52.767270 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10976: Flags [S.], seq 1255700950, ack 3996659148, win 8192, options [nop,nop,sackOK,nop,wscale 9], length 0
16:54:52.767512 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10976: Flags [S.], seq 1255700950, ack 3996659148, win 8192, options [nop,nop,sackOK,nop,wscale 9], length 0
16:54:52.780719 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [.], ack 1, win 1025, length 0
16:54:52.780939 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [.], ack 1, win 1025, length 0
16:54:52.781275 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [P.], seq 1:518, ack 1, win 1025, length 517
16:54:52.781377 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10976: Flags [.], ack 518, win 128, length 0
16:54:52.781990 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [.], seq 1:217, ack 1, win 256, length 216
16:54:52.782020 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [.], seq 217:433, ack 1, win 256, length 216
16:54:52.782040 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [P.], seq 433:518, ack 1, win 256, length 85
16:54:52.785490 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10976: Flags [F.], seq 1, ack 518, win 43007, length 0
16:54:52.785558 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [.], ack 2, win 256, length 0
16:54:52.785791 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10976: Flags [F.], seq 1, ack 518, win 128, length 0
16:54:52.786649 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [.], ack 2, win 1025, length 0
16:54:52.786810 Port1, IN: IP 192.168.144.200.10976 > 183.111.190.21.443: Flags [F.], seq 518, ack 2, win 1025, length 0
16:54:52.786872 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10976: Flags [.], ack 519, win 128, length 0
16:54:52.786960 Port4, OUT: IP 221.154.6.91.10976 > 183.111.190.21.443: Flags [F.], seq 518, ack 2, win 256, length 0
16:54:52.787223 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [S], seq 2813204329, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:52.787529 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [S], seq 2813204329, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:54:52.789020 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10976: Flags [.], ack 518, win 43007, length 0
16:54:52.789911 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10976: Flags [.], ack 519, win 43007, length 0
16:54:52.790539 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [S.], seq 2922211172, ack 2813204330, win 8192, options [nop,nop,sackOK,nop,wscale 9], length 0
16:54:52.790837 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [S.], seq 2922211172, ack 2813204330, win 8192, options [nop,nop,sackOK,nop,wscale 9], length 0
16:54:52.795489 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [.], ack 1, win 1025, length 0
16:54:52.795688 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [.], ack 1, win 1025, length 0
16:54:52.795761 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [P.], seq 1:214, ack 1, win 1025, length 213
16:54:52.795900 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [.], ack 214, win 128, length 0
16:54:52.808413 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [P.], seq 1:214, ack 1, win 256, length 213
16:54:52.819986 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [.], ack 214, win 43008, length 0
16:54:52.831775 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [.], seq 1:1461, ack 214, win 43008, length 1460
16:54:52.831776 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [.], seq 1461:2921, ack 214, win 43008, length 1460
16:54:52.831777 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [P.], seq 2921:4075, ack 214, win 43008, length 1154
16:54:52.831955 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [P.], seq 1:67, ack 214, win 128, length 66
16:54:52.832388 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [.], ack 2921, win 256, length 0
16:54:52.832853 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [.], seq 67:1527, ack 214, win 128, length 1460
16:54:52.832942 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [.], seq 1527:2987, ack 214, win 128, length 1460
16:54:52.833019 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [P.], seq 2987:4075, ack 214, win 128, length 1088
16:54:52.833181 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [.], ack 2987, win 1025, length 0
16:54:52.833220 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [.], ack 4075, win 1025, length 0
16:54:52.833699 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [.], ack 2987, win 1025, length 0
16:54:52.833807 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [.], ack 4075, win 1025, length 0
16:54:52.874368 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [P.], seq 214:340, ack 4075, win 1025, length 126
16:54:52.874731 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [P.], seq 214:340, ack 4075, win 1025, length 126
16:54:52.877280 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [P.], seq 4075:4126, ack 340, win 43008, length 51
16:54:52.877492 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [P.], seq 4075:4126, ack 340, win 43008, length 51
16:54:52.877823 Port1, IN: IP 192.168.144.200.10977 > 183.111.190.21.443: Flags [F.], seq 340, ack 4126, win 1025, length 0
16:54:52.877923 Port4, OUT: IP 221.154.6.91.10977 > 183.111.190.21.443: Flags [F.], seq 340, ack 4126, win 1025, length 0
16:54:52.880353 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [.], ack 341, win 43008, length 0
16:54:52.880463 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [.], ack 341, win 43008, length 0
16:54:52.880896 Port4, IN: IP 183.111.190.21.443 > 221.154.6.91.10977: Flags [R.], seq 4126, ack 341, win 43008, length 0
16:54:52.881032 Port1, OUT: IP 183.111.190.21.443 > 192.168.144.200.10977: Flags [R.], seq 4126, ack 341, win 43008, length 0
^C
52 packets captured
68 packets received by filter
7 packets dropped by kernel
SFVH_SO01_SFOS 18.0.0 EAP2#

SFVH_SO01_SFOS 18.0.0 EAP2# conntrack -L -d 183.111.190.21
proto=tcp proto-no=6 timeout=7 state=CLOSE orig-src=192.168.144.200 orig-dst=183.111.190.21 orig-sport=11358 orig-dport=443 packets=6 bytes=591 reply-src=183.111.190.21 reply-dst=221.154.6.91 reply-sport=443 reply-dport=11358 packets=8 bytes=4453 [ASSURED] mark=0x4003 use=3 id=1342324224 masterid=0 devin=Port1 devout=Port4 nseid=3910 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=1 natid=4 fw_action=1 bwid=0 appid=100 appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x21 inzone=1 outzone=2 devinindex=5 devoutindex=8 hb_src=0 hb_dst=0 flags0=0x400a0080200000 flags1=0x1c100890000 flagvalues=21,31,41,43,54,80,83,87,96,102,103,104 catid=22 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:50:56:ba:0f:2a src_mac=88:d7:f6:41:c6:84 startstamp=1574582312 microflowid[0]=547 microflowrev[0]=34 microflowid[1]=256 microflowrev[1]=33 hostrev[0]=2 hostrev[1]=2 ipspid=0 diffserv=0 loindex=8 tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=1761 current_state[1]=1761 vlan_id=0 inmark=0x0 brinindex=0 sessionid=407 sessionidrev=33901 session_update_rev=7 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=3 pbrid_dir1=0 nhop_id[0]=11 nhop_id[1]=22 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
proto=tcp proto-no=6 timeout=7 state=TIME_WAIT orig-src=192.168.144.200 orig-dst=183.111.190.21 orig-sport=11357 orig-dport=443 packets=5 bytes=729 reply-src=183.111.190.21 reply-dst=221.154.6.91 reply-sport=443 reply-dport=11357 packets=4 bytes=168 [ASSURED] mark=0x4003 use=3 id=1342323904 masterid=0 devin=Port1 devout=Port4 nseid=4271 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=1 natid=4 fw_action=1 bwid=0 appid=100 appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x1 inzone=1 outzone=2 devinindex=5 devoutindex=8 hb_src=0 hb_dst=0 flags0=0x400a0080200000 flags1=0x1c000890000 flagvalues=21,31,41,43,54,80,83,87,102,103,104 catid=22 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:50:56:ba:0f:2a src_mac=88:d7:f6:41:c6:84 startstamp=1574582312 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=1 hostrev[1]=1 ipspid=0 diffserv=0 loindex=8 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=1761 current_state[1]=1761 vlan_id=0 inmark=0x0 brinindex=0 sessionid=409 sessionidrev=33933 session_update_rev=5 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=3 pbrid_dir1=0 nhop_id[0]=11 nhop_id[1]=22 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
conntrack v1.4.5 (conntrack-tools): 2 flow entries have been shown.

 
 
Parents
  • Hi FoW,

    Did you try creating a Web Exception, inside Web => Exception ?

    You can use this Regex:  ^([A-Za-z0-9.-]*\.)?ff14\.co\.kr\.?/

    It should look like this:

    This should skip any kind of policy checks or inspection by XG. Even when using the DPI engine.

     

    Thanks,


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Prism said:

    This should skip any kind of policy checks or inspection by XG. Even when using the DPI engine. 

    Thank you for your feedback.

    As you said, I added a configuration to Exceptions. But I still get an SSL error. SSL errors also occur in policies that do not apply web filters.

    Currently, the only way to access websites that are experiencing SSL errors is to turn on the web filter and turn off the DPI engine.

    Perhaps the DPI engine handles web access processing even if the web filter is not on?

  • That's strange, a Sophos Dev should definitely see what's causing this issue.

    I've tried accessing the website with DPI Engine and also decryption and web filter.

    I can access it normally here.

    But I'm also getting some errors in this website.

    I hope it's fixed soon for you.

     

    Thanks,


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Reply
  • That's strange, a Sophos Dev should definitely see what's causing this issue.

    I've tried accessing the website with DPI Engine and also decryption and web filter.

    I can access it normally here.

    But I'm also getting some errors in this website.

    I hope it's fixed soon for you.

     

    Thanks,


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Children