Hello,
Problem:
Using clients with IPv6 flow label enabled, i.e. non-zero values in flow label header have problems connecting to (some) websites:
steps for reproduction:
1. Latest Windows 10 with "netsh int ipv6 set global flowlabel=enabled"
2. wget.exe (Version 1.20) from [link]https://eternallybored.org/misc/wget/[/link]
3. On CLI do "wget -6 -d https://files.pythonhosted.org"
Output: DEBUG output created by Wget 1.20 on mingw32. Reading HSTS entries from c:\Users\nutzer\Downloads/.wget-hsts URI encoding = 'CP1252' converted '[link]https://files.pythonhosted.org'[/link] (CP1252) -> '[link]https://files.pythonhosted.org'[/link] (UTF-8) Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252) --2019-01-29 12:45:23-- [link]https://files.pythonhosted.org/[/link] Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319 Caching files.pythonhosted.org => 2a04:4e42:1b::319 Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected. Created socket 3. Releasing 0x00000000029e8630 (new refcount 1). Initiating SSL handshake. seconds 900,00, Winsock error: 10054 SSL handshake failed. Closed fd 3 Unable to establish SSL connection.
4. On CLI do ""netsh int ipv6 set global flowlabel=disabled"
5. On CLI do "wget -6 -d https://files.pythonhosted.org"
Output:
[ul]DEBUG output created by Wget 1.20 on mingw32. Reading HSTS entries from c:\Users\user1\Downloads/.wget-hsts URI encoding = 'CP1252' converted '[link]https://files.pythonhosted.org'[/link] (CP1252) -> '[link]https://files.pythonhosted.org'[/link] (UTF-8) Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252) --2019-01-29 12:52:01-- [link]https://files.pythonhosted.org/[/link] Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319 Caching files.pythonhosted.org => 2a04:4e42:1b::319 Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected. Created socket 3. Releasing 0x0000000000b78570 (new refcount 1). Initiating SSL handshake. seconds 900,00, Winsock error: 0 Handshake successful; connected socket 3 to SSL handle 0x0000000000b7cb60 certificate: subject: CN=r.ssl.fastly.net,O=Fastly\\, Inc,L=San Francisco,ST=California,C=US issuer: CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE X509 certificate successfully verified and matches host files.pythonhosted.org ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.20 (mingw32) Accept: */* Accept-Encoding: identity Host: files.pythonhosted.org Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... seconds 900,00, Winsock error: 0 seconds 900,00, Winsock error: 0 ---response begin--- HTTP/1.1 200 OK Content-Type: text/html Server: nginx/1.13.9 Content-Length: 1822 Accept-Ranges: bytes Date: Tue, 29 Jan 2019 11:52:01 GMT Age: 0 Connection: keep-alive X-Served-By: cache-iad2150-IAD, cache-hhn1551-HHN X-Cache: HIT, MISS X-Cache-Hits: 1, 0 X-Timer: S1548762722.675927,VS0,VE88 Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Header: noindex ---response end--- 200 OK Registered socket 3 for persistent reuse. Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = true Updated HSTS host: files.pythonhosted.org:443 (max-age: 31536000, includeSubdomains: true) Length: 1822 (1,8K) [text/html] Saving to: 'index.html.7' index.html.7 0%[ ] 0 --.-KB/s seconds 900,00, Winsock error: 0 index.html.7 100%[========================================================================================================================================>] 1,78K --.-KB/s in 0,002s 2019-01-29 12:52:02 (850 KB/s) - 'index.html.7' saved [1822/1822]
Why does Web Filter influence the connection?
Update: The problem seems to exist only for sites using IPv6 anycast addresses, e,g. mentioned *python*.org server
Do you really need flow-label? This header is still not widely supported. I 'm wondering if you have a means in the policy6 settings for each policy.id to clear that value back to . "0". Can you look
e.g
show config firewall policy6
Ken Felix
PCNSE
NSE
StrongSwan
Update: The FortiGate doesn´t change the flow label at all. But a RST packet is just sent to the client as if the webfilter profile was triggered. This happens only if IPv6 flow label is enabled on the client.
Talking about IPv6 flow label in general: It is used unfortunately, even if some vendors have problems, e.g.:
https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
https://www.youtube.com/watch?v=b0CRjOpnT7w
Disabling IPv6 flow label on client seems to be the only way to cope with it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.