Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
snobs
New Contributor II

Web Filter + IPv6 flow label + SSL =failed connection

Hello,

 

Problem:

Using clients with IPv6 flow label enabled, i.e. non-zero values in flow label header have problems connecting to (some) websites:

 

 

steps for reproduction:

 

1. Latest Windows 10 with "netsh int ipv6 set global flowlabel=enabled"

2. wget.exe (Version 1.20) from [link]https://eternallybored.org/misc/wget/[/link]

3. On CLI do "wget -6 -d https://files.pythonhosted.org"

Output: DEBUG output created by Wget 1.20 on mingw32. Reading HSTS entries from c:\Users\nutzer\Downloads/.wget-hsts URI encoding = 'CP1252' converted '[link]https://files.pythonhosted.org'[/link] (CP1252) -> '[link]https://files.pythonhosted.org'[/link] (UTF-8) Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252) --2019-01-29 12:45:23--  [link]https://files.pythonhosted.org/[/link] Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319 Caching files.pythonhosted.org => 2a04:4e42:1b::319 Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected. Created socket 3. Releasing 0x00000000029e8630 (new refcount 1). Initiating SSL handshake. seconds 900,00, Winsock error: 10054 SSL handshake failed. Closed fd 3 Unable to establish SSL connection.

 

4. On CLI do ""netsh int ipv6 set global flowlabel=disabled"

5. On CLI do "wget -6 -d https://files.pythonhosted.org"

Output:

DEBUG output created by Wget 1.20 on mingw32. Reading HSTS entries from c:\Users\user1\Downloads/.wget-hsts URI encoding = 'CP1252' converted '[link]https://files.pythonhosted.org'[/link] (CP1252) -> '[link]https://files.pythonhosted.org'[/link] (UTF-8) Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252) --2019-01-29 12:52:01--  [link]https://files.pythonhosted.org/[/link] Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319 Caching files.pythonhosted.org => 2a04:4e42:1b::319 Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected. Created socket 3. Releasing 0x0000000000b78570 (new refcount 1). Initiating SSL handshake. seconds 900,00, Winsock error: 0 Handshake successful; connected socket 3 to SSL handle 0x0000000000b7cb60 certificate:   subject: CN=r.ssl.fastly.net,O=Fastly\\, Inc,L=San Francisco,ST=California,C=US   issuer:  CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE X509 certificate successfully verified and matches host files.pythonhosted.org ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.20 (mingw32) Accept: */* Accept-Encoding: identity Host: files.pythonhosted.org Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... seconds 900,00, Winsock error: 0 seconds 900,00, Winsock error: 0 ---response begin--- HTTP/1.1 200 OK Content-Type: text/html Server: nginx/1.13.9 Content-Length: 1822 Accept-Ranges: bytes Date: Tue, 29 Jan 2019 11:52:01 GMT Age: 0 Connection: keep-alive X-Served-By: cache-iad2150-IAD, cache-hhn1551-HHN X-Cache: HIT, MISS X-Cache-Hits: 1, 0 X-Timer: S1548762722.675927,VS0,VE88 Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Header: noindex ---response end--- 200 OK Registered socket 3 for persistent reuse. Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = true Updated HSTS host: files.pythonhosted.org:443 (max-age: 31536000, includeSubdomains: true) Length: 1822 (1,8K) [text/html] Saving to: 'index.html.7' index.html.7                                                  0%[                                                                                                                                         ]       0  --.-KB/s               seconds 900,00, Winsock error: 0 index.html.7                                                100%[========================================================================================================================================>]   1,78K  --.-KB/s    in 0,002s 2019-01-29 12:52:02 (850 KB/s) - 'index.html.7' saved [1822/1822]

 

 

 

[ul]
  • Web Filter + certificate-inspection is enabled for that policy
  • Lookup-Rating for domain [link]https://files.pythonhosted.org:[/link] Category: General Interest - Business / Sub-Category: Information Technology which is not blocked[/ul]

    Why does Web Filter influence the connection?

     

  • 3 REPLIES 3
    snobs
    New Contributor II

    Update: The problem seems to exist only for sites using IPv6 anycast addresses, e,g. mentioned *python*.org server

    emnoc
    Esteemed Contributor III

    Do you really need flow-label? This header is still not  widely supported. I 'm wondering if you have a means in the policy6  settings for each policy.id to clear that  value back to . "0". Can you look

     

    e.g

     

    show config firewall policy6

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    snobs
    New Contributor II

    Update: The FortiGate doesn´t change the flow label at all. But a RST packet is just sent to the client as if the webfilter profile was triggered. This happens only if IPv6 flow label is enabled on the client.

     

    Talking about IPv6 flow label in general: It is used unfortunately, even if some vendors have problems, e.g.:

    https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/

    https://www.youtube.com/watch?v=b0CRjOpnT7w

    Disabling IPv6 flow label on client seems to be the only way to cope with it.

     

    Top Kudoed Authors