Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andrew_Badge
New Contributor

" The SSL session was blocked because the session ID was unknown.”

Hi Guys, We just upgraded our two 300A units from MR3 build 318 to MR3 build 410 (" stable release" ). The units are in HA and we only have AV enabled due to an issue with content filtering and build 316 (note: we were told 410 would resolve this issue...waiting nearly 12 months now ). Anyway. After the upgrade we get the message " The SSL session was blocked because the session ID was unknown.” for intermittant SSL connections. The browser shows “Error establishing an encrypted connection to https://secure.au.adp.com error code 12194. This error code means; SSL_ERROR_ACCESS_DENIED_ALERT -12194 " Peer received a valid certificate, but access was denied." Some Facts: we made no config changes from buiold 318 to 410. content filtering and fortinet content filter are NOT enabled. " Block invalid URLs" is not enabled, nor are ANY HTTPS options at all. the issue is intermittent but easily reproducable (refresh browser 3-4 times). It was suggested this could be related to HA (active-Active) and the session begin lost between the units? Anyone got any ideas? Andrew
8 REPLIES 8
doshbass
New Contributor III

I had this problem as well, and never had time to resolve it, I ended up temporarily uncheckinhg the HTTPS option. - I have since left that company and it is probably still turned off.
Still learning to type " the"
Still learning to type " the"
Andrew_Badge

Thanks doshbass, I wish it were that easy, but we have never had these options turned on. Maybe i' ll just leave and go on holiday ;-) Andrew
John_Stoker
New Contributor II

In the Protection Profile there is Web Filtering and FortiGuard Web Filtering. Are you sure that you don' t have HTTPS check in the Web Filtering section? This will cause your problem. I' ve seen in a lot. If you have any HTTPS check box enabled whether in Web Filtering or FortiGuard Web Filtering you may have problems with some SSL sites. We generally like to just make exceptions when needed by creating a rule that allows access to that particular domain with no pro profile or less restrictive one. Have you tried access with no pro profile? Consider creating a rule to their site with no pro profile.
John CISSP, FCNSP Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
Andrew_Badge

Hi John, Yep, definately checked that. In fact build 318 didn' t have an HTTPS option so the upgrade shouldn' t have added these new options. i did tick them then untick just to be sure. The issue is gone if the rule doesn' t have a protection profile, but our main source of problems is where clients hit a proxy. hence we can' t stop AV without exposing all clients to viruses. Again...i' m starting to lean towards a HA issue (not really to do with AV or content filtering). I' m going to set the units to Active-Passive so they don' t rely on the session state. " No new features........Stability Now!" Andrew
Not applicable

Hi, I don' t think it' s a HA issue. I have a FG-60 with the same problem. As soon as i activate the HTTPS FortiGuard Web Filtering with log only, the same error appear in log and somes websites are randomly blocked.
doshbass
New Contributor III

Hi Andrew, My units were in active-Passive and I still had this problem.
Still learning to type " the"
Still learning to type " the"
Not applicable

I tried the following CLI commad, it seems to work fine: #config firewall profile (profile)# edit " your_protection_profile_name" (scan)# set https allow-ssl-unknown-sess-id (scan)# end
Not applicable

Thanks for posting that.... just fixed my problem!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors