Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 12285 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

This site can’t be reached after Decrypt and scan function be enabled

Perry Pong

Hi,

When I start to the "Decrypt and scan" function in the firewall, some websites will have a error message.

This site can’t be reached

www.hotel-icon.com unexpectedly closed the connection.

Try:

  • Checking the connection
  • Checking the proxy and the firewall
  • Running Windows Network Diagnostics
ERR_CONNECTION_CLOSED

If I am switching back to "URL filtering only", the website is working again. Surely, the Local LAN Setting of proxy is using "Automatic".

After check the log, the website is "pass" at "Decrypt and scan" function. From this community, someone has the same problem as before but no result. Who can teach me how to fix it?

Log:

2018:12:14-11:49:06  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="101.100.216.166" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdf04a000" url="https://www.hotel-icon.com/" referer="" error="" authtime="0" dnstime="3" cattime="148" avscantime="0" fullreqtime="86089" device="0" auth="0" ua="" exceptions=""
2018:12:14-11:49:06  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="101.100.216.166" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe20cb800" url="https://www.hotel-icon.com/" referer="" error="" authtime="0" dnstime="1" cattime="49" avscantime="0" fullreqtime="87066" device="0" auth="0" ua="" exceptions=""
2018:12:14-11:49:06  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="101.100.216.166" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xde0f7800" url="https://www.hotel-icon.com/" referer="" error="" authtime="0" dnstime="3" cattime="75" avscantime="0" fullreqtime="77334" device="0" auth="0" ua="" exceptions=""

 

At the same time, I found that some free music websites can entry but can't play the music with java script.  Also, the log shows "pass".

Log :

2018:12:14-12:57:10 httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="54.39.176.86" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdf875000" url="https://www.bensound.org/" referer="" error="" authtime="0" dnstime="2" cattime="119" avscantime="0" fullreqtime="442144" device="0" auth="0" ua="" exceptions="" category="111" reputation="neutral" categoryname="Education/Reference"
2018:12:14-12:57:10 httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="54.39.176.86" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe188e000" url="https://www.bensound.org/" referer="" error="" authtime="0" dnstime="1" cattime="95" avscantime="0" fullreqtime="444409" device="0" auth="0" ua="" exceptions="" category="111" reputation="neutral" categoryname="Education/Reference"

Thanks , Thanks and Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Have you grabbed EVERYTHING from the source IP during that time period?   Most commercial sites use content from unrelated locations, and failure to access embedded content can cause problems also.   Without everything related to the source IP, you do not know if the secondary content loaded correctly or not.

    Normally, I see one of these:

    • Block with status 407 - authentication request.   UTM is asking the browser to provide user credentials.   This is normally satisfied by the browser, and a subsequent query passes, so it is only an error if the subsequent attempts always fail.
    • Block with error="connection refused".   The other end decided that it did not want to talk to you.   It may mean it could not negotiate an encryption configuration with UTM.  I have seen this recently with webservers that have dropped support for all of the older encryption configurations.
    • Block with error="".   UTM refused the connection because the server has problems with its certificate chain.   Usually a missing intermediate certificate.
    • Block with statuscode or error indicating a "timeout".    Check the IPS log to see if it blocked the webserver's reply.   Of course, it could also mean that the webserver is not longer reachable.
    • Block with an error message indicating a problem with category or reputation.   UTM is doing what you asked it to do.

    I do not think I have ever seen a status=200 and action=pass when the server has thrown an error.   That is why I think you are missing a log entry. 

Reply
  • 0

    Have you grabbed EVERYTHING from the source IP during that time period?   Most commercial sites use content from unrelated locations, and failure to access embedded content can cause problems also.   Without everything related to the source IP, you do not know if the secondary content loaded correctly or not.

    Normally, I see one of these:

    • Block with status 407 - authentication request.   UTM is asking the browser to provide user credentials.   This is normally satisfied by the browser, and a subsequent query passes, so it is only an error if the subsequent attempts always fail.
    • Block with error="connection refused".   The other end decided that it did not want to talk to you.   It may mean it could not negotiate an encryption configuration with UTM.  I have seen this recently with webservers that have dropped support for all of the older encryption configurations.
    • Block with error="".   UTM refused the connection because the server has problems with its certificate chain.   Usually a missing intermediate certificate.
    • Block with statuscode or error indicating a "timeout".    Check the IPS log to see if it blocked the webserver's reply.   Of course, it could also mean that the webserver is not longer reachable.
    • Block with an error message indicating a problem with category or reputation.   UTM is doing what you asked it to do.

    I do not think I have ever seen a status=200 and action=pass when the server has thrown an error.   That is why I think you are missing a log entry. 

Children
No Data
Unfiltered HTML