Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcdaniels
New Contributor

Created on ‎10-22-2020 08:02 AM

PR_CONNECTION_RESET_ERROR only happening @ one provider

Hi folks,

I am trying to find a problem which suddenly appeared today. We have not changed any configurations at our network.

Suddenly websites, hosted at  one austrian provider, where our homepage is hosted do not open anymore.

 

Only giving a:  PR_CONNECT_RESET_ERROR in Firefox and do not open in Edge too.

 

Sites are doing this, when I try via curl:

curl -vv https://www.pc-howto.com
* Rebuilt URL to: https://www.pc-howto.com/
* Trying 81.19.159.68...
* TCP_NODELAY set
* Connected to www.pc-howto.com (81.19.159.68) port 443 (#0)
* schannel: SSL/TLS connection with www.pc-howto.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 181 bytes...
* schannel: sent initial handshake data: sent 181 bytes
* schannel: SSL/TLS connection with www.pc-howto.com port 443 (step 2/3)
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
* schannel: shutting down SSL/TLS connection with www.pc-howto.com port 443
* Send failure: Connection was aborted
* schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1)
* schannel: clear security context handle
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

 

If I try outside our network (without our Fortigate) it works.

 

If I turn off all filters @ the policy used for my client the connection is still not working.

 

I am running out of ideas now.

 

Any help, hint or tip is very welcome....

11242
0 Kudos
8 REPLIES 8
boneyard
Valued Contributor

Created on ‎10-22-2020 08:13 AM

mcdaniels wrote:

If I try outside our network (without our Fortigate) it works.

you are still coming from the same IP address as when you are coming from the FortiGate?

 

if you are going from another network can you check if your not working traffic arives at the server?

 

im kinda expecting an issue at the other side here, but you need to see how to confirm that.

9390
0 Kudos
mcdaniels
New Contributor
In response to boneyard

Created on ‎10-22-2020 08:22 AM

Hi,

 

I am coming over 4G connection from smartphone for example (not the same ip) -> then it works.

 

I have very limited access to the logs (of the website-hoster). I have to doublecheck it.

 

A friend of mine is coming from a completly other network -> it works.

 

If the situation is: mynetwork -> fortigate -> my provider -> webspaceprovider -> it is not working.

 

If I use: single pc -> my provider -> webspaceprovider -> it works

 

This is the log of whireshark - another website, same hoster, same behavior (If I see it right the RST is coming from the hosters-side):

 

 

Preview file
122 KB
9390
0 Kudos
boneyard
Valued Contributor
In response to mcdaniels

Created on ‎10-22-2020 09:57 AM

it is difficult to say for sure, but there is a chance the hoster is blocking you for some reason. as you have a website there i would at least reach out and ask them to check.

 

where is that capture taken? if it is on the fortigate then yes it might be the hoster. if it is on a client then it could also be the fortigate.

 

does the fortigate logging show anything for these requests?

9390
0 Kudos
mcdaniels
New Contributor
In response to boneyard

Created on ‎10-22-2020 10:27 AM

I asked the hoster multiple times. He always says: It is working if we try to connect. Very hard to discuss this with the support.

 

The wireshark-log is directly taken on the client which is behind the fortigate unit. 

192.168.10.210 -> Client behind the FGT

 

I see it in Fortiview -> Destinations  / or Sources... but there is only a little amout of data being exchanged.

 

I have no blockingmessages in any filter or in the ssl log.

 

I just sniffed with the fgt-packetcapture. This happens if I initiate the connection on the client. (This is what the fgt unit does at WAN1 Port

 

 

81.19.159.68 = Hoster

 

 

 

 

 

Preview file
350 KB
9390
0 Kudos
mcdaniels
New Contributor
In response to mcdaniels

Created on ‎10-22-2020 10:51 AM

This is the sniffing directly @ FGT -> sniffing LAN-port, if I initiate the connection from the client:

 

 

 

 This repeats over and over again, till the browser tells that the page cannot be opened / pr_connection_reset

Preview file
362 KB
9390
0 Kudos
emnoc
Esteemed Contributor III
In response to mcdaniels

Created on ‎10-22-2020 11:03 AM

I'm suspecting they are blacklisting your address based on what I see. Also not sure of your env but if you have multiple address or interfaces try sourcing the client with that address and try ( src.nat in the policy and a ippool or  egress interface SNAT ) 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
9390
0 Kudos
mcdaniels
New Contributor
In response to emnoc

Created on ‎10-22-2020 12:12 PM

hi,

thanks for all your answers. I will see what support (of the webhoster) tells me tomorrow. This is very weird. I have no idea what happended here.

 

Hm. I am not 100% sure about what you are meaning exactly @emnoc:  I have multiple official IP Adresses. I assume you mean that I should give one client "another" address  @WAN-side? Correct? So I will see whether our official IP is blocked @ the provider?

9389
0 Kudos
mcdaniels
New Contributor
In response to mcdaniels

Created on ‎10-24-2020 01:52 AM

Dear experts,

 

I managed to do a SNAT and used a different WAN-IP. Used it only for one client to test.

 

After switching the IP, all websites work. So I assume you very 100% right with your guess:

 

Our official IP (used for all clients) ist blocked by the webhoster. Unfortunatly I have not received a reply from them.

 

Time to move on and switch the hoster, or go back to self-hosting.

 

Thanks for your help!

9389
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.