DPI error 19006: googleapis.com - Failure to pass SafetyNet validation.

Version: SFOS 18.0.0 EAP3-Refresh1

An environment under a generic firewall enforcement configuration. I have not applied the security configuration such as a web filter.

Android does not pass Google Play Services SafetyNet validation.

Is anyone reproduced?

Validation can be passed to Android's cache. Please be careful about reproduction.

  • How to turn on additional(large size) logging.

    (Edited by Michael Dunn to remove steps.  Turning on additional logging fills up the harddrive and slows down the system, and we don't want inexperienced people pouring over detailed log files.)


    Anyone can download the log below.



    And exclusion feature does not work in this error.



  • I am under the impression that Error 19006 is a known bug within the TLS engine.

    I have posted in another thread about this error and not seen any results.


    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  •  I have the same issue, but I just noticed it after reviewing this post. I sent you a PM earlier on something else. Let me know in that message if you want logs from me too on this, if it will help.


     thanks for your find.


    Public Service Announcement, I would advise that no one turn on logging via those steps, unless your are working with a Sophos engineer. You could cause issues if you do not turn off logging. That is why you do not see those instructions posted in any forum. Sophos engineers only PM those steps and there is a reason.



  • For the SafetyNet issues I believe we have determined the cause, thanks to log files that have been provided.  We do not yet have an ETA on the solution.


    I am under the impression that Error 19006 is a known bug within the TLS engine.


    19006 is a catch all for many different underlying problems.  Some of those underlying problems have been solved, some are changing to more specific errors, some are remaining as 19006.

  • Right now in order to have it working you must be using the web proxy, not DPI mode, for this traffic.

Reply Children
No Data