Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- SSL Inspection - connection reset
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Inspection - connection reset
Hi everyone,
I' ve been trying to figure out this issue for some time, i' m trying to implement SSL inspection for webfiltering and on some sites i' ve got connection resets while on others everything works beautifully.
My main issue is that one of these sites is Google, and Facebook is another, each time i want to access this sites with SSL inspection, a connection reset ocurrs.
A site that works, for example, www.ibm.com or support.fortinet.com.
The CA certificate in the Fortigate was correctly imported in the client, also was signed by our internal root_ca, so no issues there. Several browsers tested (IE, Chrome, Firefox), Windows & Linux also tested.
I attach a log with an attempt to access https://www.google.com.
My system: Fortigate 60D with FortiOS 5.0.3.
Any insight is welcome, thanks in advance.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That' s interesting that it works fine on some sites, but not all sites over https. Are you blocking some sites, and not others? You' re probably not blocking google.com, right?
Try this instead:
diag debug enable diag debug console timestamp enable diag debug flow show console enable diag debug flow show function-name enable diag debug flow filter addr 10.9.193.232 diag debug flow filter port 443 diag debug flow trace start 50Then try from 10.9.193.232. To stop and clear:
diag debug disable diag debug flow filter clear diag debug resetAlso try this:
diag debug enable diag debug console timestamp enable diag debug app ssl -1To stop and reset:
diag debug disable diag debug resetYou may want to log printable output to a file by using puTTy. You might be seeing TCP RST because of your browser.
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer
to a question rather than a solution to a problem." -
[link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond
Chen[/link]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mbrowndcm,
Thanks for the reply, you are correct, google is not filtered, what is more, even with webfilter not active (just SSL inspection, no AV, WF, etc) the connection still gets resetted.
Attaching the log you requested, you' ve got 2 tries to get to www.google.com with flow trace first and another one with the ssl debugging at last.
Regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2013-06-14 15:12:06 69:ssl srv port close recv 2013-06-14 15:12:06 69:shouldReset, type 1 2013-06-14 15:12:06 [65]-<000.000000> [69]: 10.9.193.232:45210 --> 74.125.229.178:443: [SSL SVRRDRDY ] Event - RESET_EVENT 2013-06-14 15:12:06 [65]-<000.000000> [69]: 10.9.193.232:45210 --> 74.125.229.178:443: [SSL SVRRDRDY ] RESET_STATE 2013-06-14 15:12:06 [65]-[69] ips closed 2013-06-14 15:12:06 ipsapp ses 69 close 2013-06-14 15:12:06 ipsapp ses 69 send end msg 145 len 0 dir 0 2013-06-14 15:12:06 69:checkConnectionEvent 2013-06-14 15:12:06 69:resetConn 2013-06-14 15:12:06 69:proxy_ssl_port_exit 2013-06-14 15:12:06 69:proxy_ssl_port_close ... 2013-06-14 15:12:09 70:checkConnectionEvent 2013-06-14 15:12:09 check fd 12 2013-06-14 15:12:09 clear client read 2013-06-14 15:12:09 set client write 2013-06-14 15:12:09 check fd 13 2013-06-14 15:12:09 set server read 2013-06-14 15:12:09 set server write 2013-06-14 15:12:09 70:sslStateCheck 2013-06-14 15:12:09 reset event 2013-06-14 15:12:09 [65]-<000.000000> [70]: 10.9.193.232:45211 --> 74.125.229.178:443: [SSL LOOPEND ] Event - RESET_EVENT 2013-06-14 15:12:09 [65]-<000.000000> [70]: 10.9.193.232:45211 --> 74.125.229.178:443: [SSL LOOPEND ] RESET_STATE 2013-06-14 15:12:09 [65]-[70] ips closed 2013-06-14 15:12:09 ipsapp ses 70 close 2013-06-14 15:12:09 ipsapp ses 70 send end msg 147 len 0 dir 0 2013-06-14 15:12:09 70:resetConn 2013-06-14 15:12:09 70:proxy_ssl_port_exit 2013-06-14 15:12:09 70:proxy_ssl_port_close..seem interesting. Looks like your client is sending a RST. Sounds like a certificate error? What configuration method did you use? Did you install both the private key of the cert and the public cert to make the Fortigate a subordinate CA? " CA:TRUE" is listed in Certificate Details? [this was done by either using `openssl ca -extensions v3_ca` or by requesting a " subordinate CA" cert from a MSFT Windows CA] Sorry to review the trivialities.
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer
to a question rather than a solution to a problem." -
[link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond
Chen[/link]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I think that if there was a certificate error all sites should fail and/or give an incorrect certificate error (i' ve made my share of trial and errors last year 
).
The certificate was created in the Fortigate itself (Certificates -> Local Certificates -> Generate), so there shouldn' t be any issues with the keys, the CSR was downloaded and sent to our root_CA for validation, then the validated certificate was uploaded, i' m attaching a screenshot of the certificate itself.
Oh, and i' ve already tried generating the key+cert outside the FG, then importing it, still same result.
I thought of the browser, already tried IE 10, Firefox 21 & Chrome 27, plus the test machine used for the traces i' ve sent is a brand new installed Linux Mint 15 with Firefox 20 and Chromium 25, all browsers same result, tried using SSL 3.0 only, again, the result is the same.
Don' t be sorry for asking the trivialities, i usually make mistakes so no harm done in checking again. :)
Thanks for the input, its really appreciated.
).
The certificate was created in the Fortigate itself (Certificates -> Local Certificates -> Generate), so there shouldn' t be any issues with the keys, the CSR was downloaded and sent to our root_CA for validation, then the validated certificate was uploaded, i' m attaching a screenshot of the certificate itself.
Oh, and i' ve already tried generating the key+cert outside the FG, then importing it, still same result.
I thought of the browser, already tried IE 10, Firefox 21 & Chrome 27, plus the test machine used for the traces i' ve sent is a brand new installed Linux Mint 15 with Firefox 20 and Chromium 25, all browsers same result, tried using SSL 3.0 only, again, the result is the same.
Don' t be sorry for asking the trivialities, i usually make mistakes so no harm done in checking again. :)
Thanks for the input, its really appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool. I agree, if it was the cert, it would fail globally (of course!).
Have you tried testing with a total other client like `curl`?
curl --insecure https://google.comThat' s interesting, seeing:
<HTML><HEAD><meta http-equiv=" content-type" content=" text/html;charset=utf-8" > <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF=" https://www.google.com/" >here</A>. </BODY></HTML>What happens if: 1) you create a URL Filter and exempt google.com? 2) you disable " Block HTTP Redirects by Rating" ? (I know this won' t do anything) 3) you access another 301 redirected page? 4) Try to review the logs to see if web filter or app control are dropping the packets... what about other layers in your packet flow beyond the ssl mitm proxy and the firewall policies? 5) If this was working before, but now is not, you can also try to restart the ssl daemon:
diag test app ssl 99
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer
to a question rather than a solution to a problem." -
[link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond
Chen[/link]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let' s start with the first (and end with the last).
a - Our good friend curl gives error 35, unknown SSL protocol error in connection with www.google.com:443.
1 - For tests sake i enabled WF and exempted google.com (it wasn' t enabled in the traces before), it gets a little better since now the redirect happens, but still after that the connection gets resetted (i' ve also already exempted my local google site).
*Edit: Correct that, now it works... randomly, sometimes it resets, sometimes it works, let' s say works 85% of the time*
2 - It wasn' t enabled to begin with, so you' re right, it doesn' t do anything. :)
3 - See comment 1, yup.
4 - No packets dropped in the logs, still, please take into account that this reset happens just by adding SSL inspection, no other modules are needed for the connection drop to happen (i' ve tried to simplify things, it fails with or without the other modules running); so the only things enabled ATM are Vdoms, SSL inspection and 1 firewall policy, that' s it.
5 - It never worked, still, for tests sake
webfilter (global) # diagnose test application sslacceptor 99
2013-06-14 17:27:42 restarting ssl proxy
webfilter (global) # diagnose test application sslworker 99
SSL Worker 0:
2013-06-14 17:27:50 restarting ssl proxy
webfilter (global) #
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool. I had a problem yesterday where all my HTTPS inspection... just... dropped... isolated in a single VDOM. wat. I restarted the `ssl` daemon and it worked.
So you mean you simply have " Enable Deep Scanning" enabled in the protocol options object, don' t have HTTPS Deep Scanning enabled in a web filter, and no other UTM policies attached to the policy, and you are facing this state?
That' s crazy, but I have no other idea. With my problem above, I quickly reverted to a _web filter_ I had with no HTTPS Deep Scanning enabled, and traffic passed through HTTPS (even with a protocol options object assigned with Enable Deep Scanning enabled!).
I' d just call support.
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer
to a question rather than a solution to a problem." -
[link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond
Chen[/link]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, i understand, i have the advantage that this is a brand new 60D so i can reboot it whenever needed.
That' s what i mean, in FortiOS 5 " terms" , 1 policy (internal1 -> wan1, ALL to ALL protocols accepted), in " Security Profiles" just SSL Inspection enabled and no other funky stuff apart from the custom certificate, all this being contained in root vdom.
I' ve unpacked the 60D 3 days ago and factory resetted, upgraded to 5.0.3, just created the vdoms and that' s it from the " hardware" POV. I don' t think that issue lies in the unit, but i' ll try with a brand new one on Monday and will also try to get a new MPLS line with my TelCo, all this is beyond weird..
Anyway, as said before, i highly appreciate your feedback on the matter, thank you very much.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a little follow-up, i' ve replaced the unit and still the same error, downgraded FortiOS to 5.01 (the lowest i can go on 60D) and still the same.
Weirdly enough, i' ve tested it with one of my 60C and everything works beautifully, so either its FortiOS5 having a nasty behaviour or ...
Labels
-
FortiGate
10,811 -
FortiClient
2,214 -
FortiManager
906 -
FortiAnalyzer
691 -
5.2
687 -
5.4
638 -
FortiSwitch
598 -
FortiClient EMS
586 -
FortiAP
569 -
IPsec
446 -
6.0
416 -
SSL-VPN
394 -
FortiMail
381 -
5.6
362 -
FortiNAC
301 -
FortiWeb
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
208 -
FortiAuthenticator
187 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
121 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
94 -
Customer Service
88 -
ZTNA
80 -
FortiProxy
79 -
Routing
79 -
SAML
78 -
BGP
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
Certificate
70 -
FortiADC
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
57 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
49 -
Virtual IP
45 -
FortiDNS
43 -
Logging
43 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
30 -
FortiGate v5.2
28 -
Fortigate Cloud
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2728 | |
| 1417 | |
| 812 | |
| 739 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.