Technical Tip: Unable to open subpages with ERR_CONNECTION_CLOSED

When trying to open subpages of certain websites the it leads to the ERR_CONNECTION_CLOSED browser error.

The error below will be seen on the WAD debug:

fmt:idxIDX name idx=31, content-type:text/html; charset=utf-8 enc_len=18,huf=1
fmt:idxIDX name idx=34, etag:"1vcfqr2" enc_len=8,huf=1
fmt:idxIDX name idx=45, link:[E]2024-05-08 13:09:08.783724 [p:3192][s:66843225] wad_h2_parse_hdrs :770 conn=0x7f1230e790c0, hearder parsing error <<<<<<
[V]2024-05-08 13:09:08.783733 [p:3192][s:66843225] wad_h2_strm_task_end :402 h2_strm(0x7f123163dbb8) is closing

The root cause of this issue is that, in rare cases, the HTTP/2 headers sent by the server exceed the maximum header value length that WAD supports. When this occurs, WAD is unable to fully parse the headers, resulting in a header parsing failure (wad_h2_parse_hdrs : header parsing error) and immediate termination of the HTTP/2 stream (wad_h2_strm_task_end : h2 stream is closing).

From the browser’s perspective, this appears as an ERR_CONNECTION_CLOSED error. The issue is specific to HTTP/2 traffic, as HTTP/1.1 does not enforce the same header size limits. Enforcing HTTP/1.1 in the SSL/SSH inspection profile bypasses this limitation, preventing the connection from being closed.

To workaround the issue, enforce ALPN 1.1 in the SSL/SSH inspection profile.

config firewall ssl-ssh-profile
    edit <profile>
        set supported-alpn http1-1
    next
end