" The SSL session was blocked because the session ID was unknown.â€

Andrew_Badge · ‎03-28-2007

Hi Guys, We just upgraded our two 300A units from MR3 build 318 to MR3 build 410 (" stable release" ). The units are in HA and we only have AV enabled due to an issue with content filtering and build 316 (note: we were told 410 would resolve this issue...waiting nearly 12 months now

). Anyway. After the upgrade we get the message " The SSL session was blocked because the session ID was unknown.â€ for intermittant SSL connections. The browser shows â€œError establishing an encrypted connection to https://secure.au.adp.com error code 12194. This error code means; SSL_ERROR_ACCESS_DENIED_ALERT -12194 " Peer received a valid certificate, but access was denied." Some Facts: we made no config changes from buiold 318 to 410. content filtering and fortinet content filter are NOT enabled. " Block invalid URLs" is not enabled, nor are ANY HTTPS options at all. the issue is intermittent but easily reproducable (refresh browser 3-4 times). It was suggested this could be related to HA (active-Active) and the session begin lost between the units? Anyone got any ideas? Andrew

doshbass · ‎03-28-2007

I had this problem as well, and never had time to resolve it, I ended up temporarily uncheckinhg the HTTPS option. - I have since left that company and it is probably still turned off.

Still learning to type " the"

Andrew_Badge · ‎03-28-2007

Thanks doshbass, I wish it were that easy, but we have never had these options turned on. Maybe i' ll just leave and go on holiday ;-) Andrew

John_Stoker · ‎03-28-2007

In the Protection Profile there is Web Filtering and FortiGuard Web Filtering. Are you sure that you don' t have HTTPS check in the Web Filtering section? This will cause your problem. I' ve seen in a lot. If you have any HTTPS check box enabled whether in Web Filtering or FortiGuard Web Filtering you may have problems with some SSL sites. We generally like to just make exceptions when needed by creating a rule that allows access to that particular domain with no pro profile or less restrictive one. Have you tried access with no pro profile? Consider creating a rule to their site with no pro profile.

John CISSP, FCNSP Adv(thanks)ance

Andrew_Badge · ‎03-28-2007

Hi John, Yep, definately checked that. In fact build 318 didn' t have an HTTPS option so the upgrade shouldn' t have added these new options. i did tick them then untick just to be sure. The issue is gone if the rule doesn' t have a protection profile, but our main source of problems is where clients hit a proxy. hence we can' t stop AV without exposing all clients to viruses. Again...i' m starting to lean towards a HA issue (not really to do with AV or content filtering). I' m going to set the units to Active-Passive so they don' t rely on the session state. " No new features........Stability Now!" Andrew

Report Inappropriate Content · ‎03-29-2007

Hi, I don' t think it' s a HA issue. I have a FG-60 with the same problem. As soon as i activate the HTTPS FortiGuard Web Filtering with log only, the same error appear in log and somes websites are randomly blocked.

doshbass · ‎03-30-2007

Hi Andrew, My units were in active-Passive and I still had this problem.

Still learning to type " the"

Report Inappropriate Content · ‎03-30-2007

I tried the following CLI commad, it seems to work fine: #config firewall profile (profile)# edit " your_protection_profile_name" (scan)# set https allow-ssl-unknown-sess-id (scan)# end

Report Inappropriate Content · ‎10-22-2007

Thanks for posting that.... just fixed my problem!

" The SSL session was blocked because the session ID was unknown.â€

Nominate a Forum Post for Knowledge Article Creation

" The SSL session was blocked because the session ID was unknown.â€