Skip to main content
Andrew_Badge
Andrew_Badge
New Member
March 28, 2007
Question

" The SSL session was blocked because the session ID was unknown.”

  • March 28, 2007
  • 5 replies
  • 5253 views
Hi Guys, We just upgraded our two 300A units from MR3 build 318 to MR3 build 410 (" stable release" ). The units are in HA and we only have AV enabled due to an issue with content filtering and build 316 (note: we were told 410 would resolve this issue...waiting nearly 12 months now ). Anyway. After the upgrade we get the message " The SSL session was blocked because the session ID was unknown.” for intermittant SSL connections. The browser shows “Error establishing an encrypted connection to https://secure.au.adp.com error code 12194. This error code means; SSL_ERROR_ACCESS_DENIED_ALERT -12194 " Peer received a valid certificate, but access was denied." Some Facts: we made no config changes from buiold 318 to 410. content filtering and fortinet content filter are NOT enabled. " Block invalid URLs" is not enabled, nor are ANY HTTPS options at all. the issue is intermittent but easily reproducable (refresh browser 3-4 times). It was suggested this could be related to HA (active-Active) and the session begin lost between the units? Anyone got any ideas? Andrew

    5 replies

    doshbass
    doshbass
    New Member
    March 28, 2007
    I had this problem as well, and never had time to resolve it, I ended up temporarily uncheckinhg the HTTPS option. - I have since left that company and it is probably still turned off.
    Andrew_Badge
    Andrew_BadgeAuthor
    New Member
    March 28, 2007
    Thanks doshbass, I wish it were that easy, but we have never had these options turned on. Maybe i' ll just leave and go on holiday ;-) Andrew
    John_Stoker
    John_Stoker
    Explorer
    March 28, 2007
    In the Protection Profile there is Web Filtering and FortiGuard Web Filtering. Are you sure that you don' t have HTTPS check in the Web Filtering section? This will cause your problem. I' ve seen in a lot. If you have any HTTPS check box enabled whether in Web Filtering or FortiGuard Web Filtering you may have problems with some SSL sites. We generally like to just make exceptions when needed by creating a rule that allows access to that particular domain with no pro profile or less restrictive one. Have you tried access with no pro profile? Consider creating a rule to their site with no pro profile.
    Andrew_Badge
    Andrew_BadgeAuthor
    New Member
    March 29, 2007
    Hi John, Yep, definately checked that. In fact build 318 didn' t have an HTTPS option so the upgrade shouldn' t have added these new options. i did tick them then untick just to be sure. The issue is gone if the rule doesn' t have a protection profile, but our main source of problems is where clients hit a proxy. hence we can' t stop AV without exposing all clients to viruses. Again...i' m starting to lean towards a HA issue (not really to do with AV or content filtering). I' m going to set the units to Active-Passive so they don' t rely on the session state. " No new features........Stability Now!" Andrew
    A
    Anonymous_User
    Contributor
    March 29, 2007
    Hi, I don' t think it' s a HA issue. I have a FG-60 with the same problem. As soon as i activate the HTTPS FortiGuard Web Filtering with log only, the same error appear in log and somes websites are randomly blocked.
    doshbass
    doshbass
    New Member
    March 30, 2007
    Hi Andrew, My units were in active-Passive and I still had this problem.
    A
    Anonymous_User
    Contributor
    March 30, 2007
    I tried the following CLI commad, it seems to work fine: #config firewall profile (profile)# edit " your_protection_profile_name" (scan)# set https allow-ssl-unknown-sess-id (scan)# end
    A
    Anonymous_User
    Contributor
    October 22, 2007
    Thanks for posting that.... just fixed my problem!
    Terms & ConditionsAccessibility statement