Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sforbus
New Contributor

ERR_SSL_PROTOCOL_ERROR on Google Chrome

We are having a bizarre problem since updating to 6.2.1 (we updated due to a memory leak issue in 6.2.0).

 

Certain sites are giving us a ERR_SSL_PROTOCOL_ERROR only in Google Chrome. I have tried all the usual troubleshooting for this error, but the only thing that fixes it is restarting the fortigate. Two sites (facebook.com and login.renweb.com) both use TLS 1.3, but we can get to facebook without a problem and we cannot get to the other site. After rebooting the device, it works for several days and then starts behaving poorly again.

 

Other browsers work fine, including Internet Explorer, Edge (not Chromium based) and Firefox.

 

I have attempted to disable SSL certificate inspection, but that does not seem to affect the problem one way or another. I also tried putting the fortigate back on its factory certificate.

 

My next step will be to revert to 6.0 branch, where I did not experience this issue, but I figured I would post first to see if anyone had similar experiences.

 

2 Solutions
emnoc
Esteemed Contributor III

Have anybody used curl against theses sites? Inspect the certificate and if you see any stale cert clear them. You can also test in a incognito window and see if the problem exists.

 

It sounds  like a browser issues. FWIW. I check all of those sites from  fortios v6.2.3 and see no issues using chrome on windows { Version 78.0.3904.87 (Official Build) (64-bit) }

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
Cibura
New Contributor III

Quick update, I believe we solved the problem, or at least my problem. I haven't fulled vetted this out yet, but so far, so good.

 

All of my static URL Web Filters end with:

* wildcard block

 

I changed it to:

[^.] regex block

 

and now everything works as it should. Wanted to get this out these asap in case it helps anyone.

View solution in original post

37 REPLIES 37
ShawnZA

Yeah all 6.2.* versions are full of bugs.

We get the SSL error while accessing allowed sites.

Are your policy set to proxy mode or flow mode?

Jirka1
Contributor III

ShawnZA wrote:

Yeah all 6.2.* versions are full of bugs.

We get the SSL error while accessing allowed sites.

Are your policy set to proxy mode or flow mode?

I tried both the flow and the proxy.  The allowed sites works great, the problem is only for FortiGuard blocked site. Jirka

emnoc
Esteemed Contributor III

Have anybody used curl against theses sites? Inspect the certificate and if you see any stale cert clear them. You can also test in a incognito window and see if the problem exists.

 

It sounds  like a browser issues. FWIW. I check all of those sites from  fortios v6.2.3 and see no issues using chrome on windows { Version 78.0.3904.87 (Official Build) (64-bit) }

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Cibura
New Contributor III

Hi all, I've been following this thread since the beginning. I have 15 locations, each with a fortigate 60E or 90D. I use URL filtering exclusively. Accessing Gmail on Chrome is a problem on 6.0.6 all the way up to current 6.2.3. I have tested this in my lab, on a brand new 60E, with a brand new laptop connected as the only client, in a sterile environment, with nothing programmed into the fortigate except 1 policy for web access with URL filtering. I can duplicate the problem easily, and have tried every suggestion in the thread without success. I do not have this issue on other browsers. 

Cibura
New Contributor III

Quick update, I believe we solved the problem, or at least my problem. I haven't fulled vetted this out yet, but so far, so good.

 

All of my static URL Web Filters end with:

* wildcard block

 

I changed it to:

[^.] regex block

 

and now everything works as it should. Wanted to get this out these asap in case it helps anyone.

Cibura
New Contributor III

Quick update, I believe we solved the problem, or at least my problem. I haven't fulled vetted this out yet, but so far, so good.

 

All of my static URL Web Filters end with:

* wildcard block

 

I changed it to:

[^.] regex block

 

and now everything works as it should. Wanted to get this out these asap in case it helps anyone.

tanr
Valued Contributor II

Definitely pass the info on to TAC.

ghondareyte

Hi! I would like to know if you have some answer from the TAC? I have exactly the same problem with a customer in FortiOS 6.2.3 with DeepInspection.

 

Thanks!

 

ghondareyte

Hi! The solution given by the TAC of Fortinet was to block the service "SSL_TLS v1.3" at the Application Control profile of the users groups where was applied Deep Inspection. After this change at the APP Control, the issue was solved.

 

sensible

Hey

 

(usually i lurk, but had to create an account to thank you)

 

I know this is an old thread. But this seems to have literally saved me from wasting countless days (30-40 hours minimum) that i've been spending on this.

I have a case open with the TAC. They are completely useless. I haven't had them actually resolve a single issue to date. But that's another issue....

I cannot believe this is still a thing they haven't addressed/fixed. Nor has the TAC mentioned this solution at all. I have tried several versions in 6.0.x on several of  our production VM01s, and on my 60E (lab/home). 

 

I was only seeing this issue with "FLOW MODE" web filtering. And mainly with Google Chrome.

 

Some segments on our network rely solely on STATIC only web filter profiles. No fortiguard. And nothing was working. I was trying every combination of "simple" and adding wildcards and multiple combinations of the same urls, not to mention regular expressions (for allowing simple domains).

I was constantly seeing "blocked" in my logs for several urls that were clearly allowed/exempted.

 

It didn't dawn on me to try a regex variation for the "block" @ the end of my list.

This helped me sort out my issue too. 

I also noticed my above issue with chrome was intermittent. I realised if i tested some sites in edge, then switched to chrome it would work on/off. This could be related to caching.

 

Cheers man. You're a saint.

Really appreciate it.

 

I'll be sure to link this thread to my TAC agent

 

 

Does anyone know how to ensure the "block" page shows for https blocks? I can't seem to get it to show. It works with PROXY mode profile, but not flow.

Note: I am using regular cert inspection (the default CA of my device) and imported the cert into my windows cert store, but doesn't even attempt to show up. 

 

 

 

Labels
Top Kudoed Authors