Troubleshooting Tip: Page blocked with ERR_ECH_NOT_NEGOTIATED

If the website cannot be accessed because the browser gives the error 'ERR_ECH_NOT_NEGOTIATED'.

Possible solutions to workaround this issue is to:

1. Check if the policy is in flow mode inspection. If necessary, change to the proxy-based inspection mode.
2. In v7.4.4+: by default, certificate inspection is set to 'Block'. Try selecting the Encrypted Client Hello to 'Allow'.

3. If Deep Packet Inspection is used, check if the 'ClientHello' packet is encrypted (verify this in a Wireshark capture). Try exempting the website using ECH. One example is exempting cloud-flare-ech.com.
4. Check if the browser is using ECH: https://public.tls-ech.dev/. If ECH is being used, try using different DNS servers and disable DNS over HTTPS.

• On FireFox, navigate to Privacy & Security -> Enable DNS over HTTPS Using -> Off.
• On Chrome, disable the TLS 1.3 Early Data under 'chrome://flags/'.

Note:

• If the proxy mode option is not available, enable it using the steps in Technical Tip: How to enable proxy mode in policies by default.
• An example of exempting Cloudflare from DPI: Troubleshooting Tip: Cloudflare's ECH Blocked Websites with Deep Packet Inspection (DPI).

If the issue persists, open a TAC ticket providing all of the necessary logs for analysis.