Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Not able to access HTTPS websites

I am having problems accessing certain(not all) SSL websites behind a FortiGate 110c running 4.0 MR2. Sites I cannot access include gmail.com and a local banking website. It is quite odd because last week I was unable to access gmail.com and Firefox would give the error: " Connection Interrupted" . Today in the morning I was able to access the sites for a few hours, however, within an hour from the last successful access I could no longer access the sites and Firefox would give the error: " The connection was reset." During this time-frame no changes were made to the FortiGate - which is weird why all of the sudden the sites would go from not working, to working, then back to not working. Anyone have any idea what could be causing this or where to start troubleshooting?
29 REPLIES 29
rwpatterson
Valued Contributor III

What does the sniffer indicate?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ibm_ioman

exactly the same: unreachable - need to frag (mtu 1428) again, this sniffer is run on port8, in which the recorder is directly connected. my way is: vpn (on wan1) -> port8
rwpatterson
Valued Contributor III

Sorry. I' m a bit rusty with this. I do know that the VPN tunnel adds a bunch of bytes to the Ethernet packet. I' m trying to remember where to apply which setting. tcp-mss = maximum segment size before encoding (I believe) MTU = Max Transmission unit If your traffic goes through both ports, then setting the size on either will do. That' s why I always pick the VPN. Other interfaces may be able to use the full 1500. NOTE*: I just realized that the recorder is the only device on port8. Should be OK then to drop the size there...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ibm_ioman

so you say to set mtu 1400 and tcp-mss 0 ... on which interfaces exactly? wan1? vpn? port8? L.E.: I now understood that you already responded: set this values on VPN interfaces, because the other should use the maximum potential ... still, setting mtu 1400 and tcp-mss 0 didn' t do anything ...
rwpatterson
Valued Contributor III

tcp-mss 0 means nothing goes out. That' s bad. Since it seems the VPN is the only affected interface, this is where I would apply any TCP/MTU settings.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ibm_ioman

I didn' t set tcp-mss manualy, I just unset it ... on what value should I set tcp-mss?
rwpatterson
Valued Contributor III

Try another PING first. If it was set to 0, that may have fixed it. If not, try tcp-mss 1300. That should be small enough to cover everything else that gets added.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ibm_ioman

so, set tcp-mss 1300 on port8, mtu-override is disable, ping with 1400 works, with 1401 doesn' t, no change with recorder. on other ports, in which traffic is flowing without any problem, tcp-mss is set to 0, I believe it' s default value.
rwpatterson
Valued Contributor III

I' m out of ideas. Sorry.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Maik
New Contributor II

Hi Mike From your posts I read that you are using: Internet Explorer 6 and HTTPS Deep Scan Option In case you have no problems to access those websites with other browser (IE7,IE8), then change the following settings: config firewall ssl setting set ssl-send-empty-frags disable end regards Maik
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors