Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection errors

twister5800

Hi,

I have a IPSEC VPN between XG <--> UTM all good and stable, but when I try from XG LAN to access webadmin on remote UTM, I often get timeouts in the browser and sometimes some pages of the UTM works.

I am using DPI engine and found out, that if I disable DPI entirely, it works perfect, so I looked into the logs:

 

,

Theese two tend to show up:

Dropped due to TLS engine error: SESSION_UNKNOWN[5]

Dropped due to TLS engine error: BAD_VERDICT[2]

My profile matches is "Do not encrypt"

 

i am running SFOS 18.0.0 GA-Build339



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi twister5800,

    Are you trying to access the UTM on WAN IP address or LAN IP address? 

    Can you post your VPN rules from the XG? 

    Thanks,

     

    • 0 in reply to FormerMember

      I access the LAN IP :-)

       

      -----

      Best regards
      Martin

      Sophos XGS 2100 HA A/P - PROXMOX KVM - SG310 SW @ Home | Sophos v21 Technician

      • 0 in reply to twister5800

        There was a Bug about IP Addresses. 

        That SSLx pick up traffic, which it should not, because of IP Addresses. 

        You are using IPsec Policy Based? If accessing the WAN IP of UTM, will it work? Just to figure out, if the same connection, going to WAN is working fine, only internal (Behind Policy based) is affected. 

        __________________________________________________________________________________________________________________

        • 0 in reply to LuCar Toni

          Yes Policy based, I have now tried RED site2site same result.

           

          When accessin the WAN IP of UTM, it still does not work :-(

          -----

          Best regards
          Martin

          Sophos XGS 2100 HA A/P - PROXMOX KVM - SG310 SW @ Home | Sophos v21 Technician

          • 0 in reply to LuCar Toni

            Hi,

             

            Can you assist me in some direction to fix this or shall I create a case?

             

            -----

            Best regards
            Martin

            Sophos XGS 2100 HA A/P - PROXMOX KVM - SG310 SW @ Home | Sophos v21 Technician

            • 0 in reply to twister5800

              Hi  

              If you are a licensed user, then yes please create a case so that this can get debugged.

              If disabling TLS makes everything work fine, then there must be something going on with the DPI engine.

              Thanks!

              KingChris
              Community Support | Sophos Support
              Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
              If a post solves your question use the 'This helped me' link