PR_CONNECTION_RESET_ERROR only happening @ one provider

mcdaniels · ‎10-22-2020

Hi folks,

I am trying to find a problem which suddenly appeared today. We have not changed any configurations at our network.

Suddenly websites, hosted at one austrian provider, where our homepage is hosted do not open anymore.

Only giving a: PR_CONNECT_RESET_ERROR in Firefox and do not open in Edge too.

Sites are doing this, when I try via curl:

curl -vv https://www.pc-howto.com
* Rebuilt URL to: https://www.pc-howto.com/
* Trying 81.19.159.68...
* TCP_NODELAY set
* Connected to www.pc-howto.com (81.19.159.68) port 443 (#0)
* schannel: SSL/TLS connection with www.pc-howto.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 181 bytes...
* schannel: sent initial handshake data: sent 181 bytes
* schannel: SSL/TLS connection with www.pc-howto.com port 443 (step 2/3)
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
* schannel: shutting down SSL/TLS connection with www.pc-howto.com port 443
* Send failure: Connection was aborted
* schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1)
* schannel: clear security context handle
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

If I try outside our network (without our Fortigate) it works.

If I turn off all filters @ the policy used for my client the connection is still not working.

I am running out of ideas now.

Any help, hint or tip is very welcome....

boneyard · ‎10-22-2020

mcdaniels wrote:
If I try outside our network (without our Fortigate) it works.

you are still coming from the same IP address as when you are coming from the FortiGate?

if you are going from another network can you check if your not working traffic arives at the server?

im kinda expecting an issue at the other side here, but you need to see how to confirm that.

mcdaniels · ‎10-22-2020

Hi,

I am coming over 4G connection from smartphone for example (not the same ip) -> then it works.

I have very limited access to the logs (of the website-hoster). I have to doublecheck it.

A friend of mine is coming from a completly other network -> it works.

If the situation is: mynetwork -> fortigate -> my provider -> webspaceprovider -> it is not working.

If I use: single pc -> my provider -> webspaceprovider -> it works

This is the log of whireshark - another website, same hoster, same behavior (If I see it right the RST is coming from the hosters-side):

boneyard · ‎10-22-2020

it is difficult to say for sure, but there is a chance the hoster is blocking you for some reason. as you have a website there i would at least reach out and ask them to check.

where is that capture taken? if it is on the fortigate then yes it might be the hoster. if it is on a client then it could also be the fortigate.

does the fortigate logging show anything for these requests?

mcdaniels · ‎10-22-2020

I asked the hoster multiple times. He always says: It is working if we try to connect. Very hard to discuss this with the support.

The wireshark-log is directly taken on the client which is behind the fortigate unit.

192.168.10.210 -> Client behind the FGT

I see it in Fortiview -> Destinations / or Sources... but there is only a little amout of data being exchanged.

I have no blockingmessages in any filter or in the ssl log.

I just sniffed with the fgt-packetcapture. This happens if I initiate the connection on the client. (This is what the fgt unit does at WAN1 Port

81.19.159.68 = Hoster

mcdaniels · ‎10-22-2020

This is the sniffing directly @ FGT -> sniffing LAN-port, if I initiate the connection from the client:

This repeats over and over again, till the browser tells that the page cannot be opened / pr_connection_reset

emnoc · ‎10-22-2020

I'm suspecting they are blacklisting your address based on what I see. Also not sure of your env but if you have multiple address or interfaces try sourcing the client with that address and try ( src.nat in the policy and a ippool or egress interface SNAT )

Ken Felix

PCNSE

NSE

StrongSwan

mcdaniels · ‎10-22-2020

hi,

thanks for all your answers. I will see what support (of the webhoster) tells me tomorrow. This is very weird. I have no idea what happended here.

Hm. I am not 100% sure about what you are meaning exactly @emnoc: I have multiple official IP Adresses. I assume you mean that I should give one client "another" address @WAN-side? Correct? So I will see whether our official IP is blocked @ the provider?

mcdaniels · ‎10-24-2020

Dear experts,

I managed to do a SNAT and used a different WAN-IP. Used it only for one client to test.

After switching the IP, all websites work. So I assume you very 100% right with your guess:

Our official IP (used for all clients) ist blocked by the webhoster. Unfortunatly I have not received a reply from them.

Time to move on and switch the hoster, or go back to self-hosting.

Thanks for your help!