Hi,
I'm having a issue in the network where we're trying to setup a Bloomberg test connection from one of our local servers. The setup is pretty straight forward:
1. stunnel to load the cert from bloomberg
2. local app to trigger the traffic
This setup works perfectly fine in our Production environment but fails miserably at our UAT. The main error that we keep seeing is TCP_reset_from_client whenever we try to initiate a connection towards them. Bloomberg insist that we're doing something wrong on our network even though we've turned off the ssl cert inspection and allowed all service to pass thru.
My question is, does Fortigate manipulate a cert traffic in any way shape or form? Has anyone experienced this kind of error where a cert you're sending is getting dropped?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Certificate packets can he of large size and fragmentation/MTU can come into picture and drop it. If we can take a packet capture on ingress and egress interface and compare, it will give us better idea of what is happening.
Hello,
As certificates are large they usually be segmented into multiple TCP packets. These packets will usually have the DF or don't fragment bit to set as 1. Most probably the client might have note received the complete SSL/TLS server hello packet with the entire certificate hence it could be sending the RST packet. This is a common issue in the network. So as @srajeswaran mentioned better to take a packet capture and check this. If this is the issue then we can change the MSS Settings in the policy so that a smaller TCP segment size packet can be sent which could prevent the drop of the packet due to fragmentation in your network. Please note that this may not be an issue with the firewall.
Regards,
Shiva
Thanks. I've captured the packet below for reference.
Who causes the RST from the packet below? source or destination?
Thanks
10.70.56.119, is sending the RST (source). Also, the connection is reset before any certificate exchange, so the issue may not be related to certificate. Can you confirm from which interface this capture is taken? The interface between Fortigate and Internet or Fortigate and LAN? You may take similar capture from Internal interface and external interface to confirm the behavior.
That one is the closest to the destination, after that its the Bloomberg router at the prem (colocated).
I have a packet capture closest to the source as well
As per this capture there is a Client Hello, as expected. but this packet is missing in the first capture (mostly getting dropped by a firewall/proxy). Can you take a pcap on the Fortigate internal interface, if the Client hello is coming to Fortigate , then Fortigate is dropping it and we need to run additional debugs.
Created on 03-05-2024 05:15 PM Edited on 03-05-2024 05:26 PM
Hi,
This one is the gateway of the UAT server
This one is the firewall at the DMZ which is directly after the meraki firewall above.
The flow is UAT Server (10.70.56.119) --> Meraki Internal Firewall --> Fortigate Firewall --> Bloomberg.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.