SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA

Hi,

following situation:
I want to access an internal server via VPN, the servers adress is 172.27.10.11.

When entering its FQDN in the browser I get the following error: SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA

From time to time entering its FQDN I also get forwarded to a wrong IP and see the following in the address line: https://172.27.15.1:8090/ips/block/tls?te=[...]
172.27.15.1 is the LAN adress of the XG firewall which seems a bit weird now...
The related firewall rule "VPN to MGMT" has no IPS or http/https scanning activated.

If I try to access the server via IP (172.27.10.11), this works fine.

Hope you can explain what I'm doing wrong and how to fix this... :(

Kind regards,
Leon

Parents
  • I've found the solution... :D

    As described above, the scan of http/https is disabled in the matching firewall rule.

    The log also showed nothing as blocked, or even an error:

    Then I made some research in the settings of the XG firewall and came across TLS/SSL Inspection rules. I thought: "Maybe the TLS/SSL inspection engine will still intervene?"

    I remembered to have played a bit with the new engine and profiles and checked my "Standard Decryption" profile out:

    Because I checked "Name Mismatch" in my Decryption Profile, the error occurs. Apparently the FQDN and the certificate generated by my ESXi host are different, I didn't know that. That's why it worked via IP but not with FQDN.

    So is it intended that the engine scans even if the scan in the firewall is switched off? Or is it really a bug?

    And why was there no notifcation when the profile says: "Reject & Notify"?

    Best regards,
    Leon

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

Reply
  • I've found the solution... :D

    As described above, the scan of http/https is disabled in the matching firewall rule.

    The log also showed nothing as blocked, or even an error:

    Then I made some research in the settings of the XG firewall and came across TLS/SSL Inspection rules. I thought: "Maybe the TLS/SSL inspection engine will still intervene?"

    I remembered to have played a bit with the new engine and profiles and checked my "Standard Decryption" profile out:

    Because I checked "Name Mismatch" in my Decryption Profile, the error occurs. Apparently the FQDN and the certificate generated by my ESXi host are different, I didn't know that. That's why it worked via IP but not with FQDN.

    So is it intended that the engine scans even if the scan in the firewall is switched off? Or is it really a bug?

    And why was there no notifcation when the profile says: "Reject & Notify"?

    Best regards,
    Leon

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

Children