Do not decrypt profile not working correctly?

I've got an Toon Thermostat, that creates an openVPN connection to the eneco datacenter for transmitting the usage data, as soon as i enable the SSL/TLS inspection the display shows "no connection to service center. I've created an rule that says "dont decrypt" for that specific host and even the complete network but still it fails on connecting, i guess this problem will occure for more iot devices when the SSL/TLS engine is turned on. When it doesnt connect there is nothing visible in the SSL/TLS inspection logviewe except from "do not decrypt"

  • Just to be sure:

    You are running EAP3 Refresh1? 

    Does it work, if you disable "all" SSL Rules? 

    __________________________________________________________________________________________________________________

  • Hi,

    I suspect that a bug that I thought was fixed in EAP3 refresh 1 still exists. I have been debugging a security camera installation for over a week and finally got it to work tonight by using the proxy in lieu of firewall rules with no features enabled - allow any, when refined it to the ports showing in the web logs issue started occurring. I was seeing lots of IPS issues, but nothing in the logs either IPS or TLS. Tonight I reviewed the GUI TLS errors and see a number of internal error 19006 for a number of applications.

    I also added URLs to the TLS exception list to no benefit.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • OpenVPN sends a couple of packets of its own protocol before actually initiating the TLS connection with a Client Hello packet. In EAP3-refresh we impose strict protocol restrictions on port 443 and port 80 to prevent their use for tunnelling arbitrary protocols, and these extra packets cause us to identify this as non-compliant.

    In EAP3 refresh, this issue can be fixed by taking the following steps:

    1. Log on to your firewall via ssh, or use the link in the Admin UI to open the device console (admin > Console, in the top right-hand corner)

    2. Select option 4 (Device Console)

    3. At the console> prompt, enter the following command:

    set http_proxy relay_invalid_http_traffic on