Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
muiz101
New Contributor

HTTPS Timeout but http can access

Hi,

I'm new to this Fortigate Firewall. I have an issue regarding Firewall 500D which user can access url by using HTTP but HTTPS cannot access. The page shown was not Fortigate Blocking page but it says The Site Can't Be Reached. My firewall firmware version is v5.2.10,build742 (GA). I'm new here so any more specific detail, I try to provide.

 

Thank You

P/S: sorry for my bad english

4 REPLIES 4
emnoc
Esteemed Contributor III

Qs:

 

Have you use a 3rd party to confirm  HTTPS is working on that site? Do you have a policy allowing the webclient to the HTTPS website? Do you have any diag debug flow showing the traffic matching and if any SNAT  if applicable? Are you 100% sure the client is not mis-configure or has some proxy configuration left over that's not warrant

 

i would start with a cli-cmd diag debug flow and filter and follow  the evidence, but you have to  start some diagnostic and collections

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
muiz101
New Contributor

The website can be access from different network using the https url. Can be access from smartphone. The policy from firewall allow https. All https website can be access but only this website can't be access using https. All of the users can't access the https url. The log traffic from the website as the https action become timeout but http can be access.

 

This is the diag debug flow I have execute.

 

vtag->sip[0] 8328bbd2, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0

    vtag->sport 37062, vtag->mtu 1500, vtag->flags 2, vtag->np6_index 192"

id=20085 trace_id=140 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.25.60:50834->23.15.10.87:54448) from port9. flag , seq 3396418449, ack 0, win 8192"

id=20085 trace_id=140 func=init_ip_session_common line=4631 msg="allocate a new session-003291b1"

id=20085 trace_id=140 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-210.187.40.190 via port11"

id=20085 trace_id=140 func=fw_forward_handler line=686 msg="Allowed by Policy-202: SNAT"

id=20085 trace_id=140 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.25.60->210.187.40.131:50834"

id=20085 trace_id=140 func=np6_hif_nturbo_build_vtag line=791 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 133, vtag->vid 0

    vtag->sip[0] 8328bbd2, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0

    vtag->sport 37574, vtag->mtu 1500, vtag->flags 2, vtag->np6_index 192"

id=20085 trace_id=141 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.25.60:50832->23.15.10.87:54448) from port9. flag , seq 2322171440, ack 0, win 8192"

id=20085 trace_id=141 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-0032919f, original direction"

id=20085 trace_id=141 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.25.60->210.187.40.131:50832"

id=20085 trace_id=141 func=np6_hif_nturbo_build_vtag line=791 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 133, vtag->vid 0

Nicholas_Doropoulos

In addition to Emnoc's questions, we would definitely need more information about this.

 

1) Is it just a single or multiple HTTPS sites that you have this symptom with?

 

2) Does the problem occur with multiple browsers?

 

3) Have you identified the policy that matches the traffic towards the HTTPS sites? If yes, by right-clicking it you should jump straight to its relevant logs so you can share them with us.

 

4) Have you configured SSL Inspection on that policy?

 

5) The users affected. Do they all belong to the same group, subnet, vlan etc or not?

 

6) Is this a new issue? If yes, have there been any changes on your FGT at all lately?

 

Thanks.

 

 

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
François
New Contributor III

Hi,

 

I think you use web filter and some categories are blocked. I have same issue with my fortigate. If url is not allow you have an https error and if you try to continue you received a message of fortigate with the reason.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors