Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ670 Cannot Delete a Custom Common Name from DPI-SSL Client

TZ670 with SonicOS 7.0.1-R1456

I added these custom names and cannot delete

cloud-fes-us2.acronis.com:44445

cloud-fes-eu1.acronis.com:44445

I added these from the show connection failure tab.

On trying to delete I get this error message

"Command 'no common-name cloud-fes-eu1.acronis.com%3A44445 action exclude disable-authenticate-server' does not match"

I can delete others like .microsoft.com and .acronis.com

I want to delete the long ones and just use .acronis.com

Any ideas?

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    RinconmikeRinconmike Newbie ✭
    Accepted Answer

    This was answered here:

    by @preston

    go in via SSH, put them in speech marks as below, you should be able to delete them then

    conf

    dpi-ssl client

    (config-client-dpi-ssl)# no common-name "cloud-fes-us2.acronis.com:44445"


    (config-client-dpi-ssl)# no common-name "cloud-fes-eu1.acronis.com:44445"

    exit

    commit


    F.Y.I. you don't need to add the port numbers after the common name entry

    If you have a support case open regarding this you should add the workaround to it so that support are aware

Answers

  • SaravananSaravanan Moderator

    Hi @RINCONMIKE,

    Thank you for visiting SonicWall Community.

    I just tested this scenario on my TZ 670 and the delete works great for the same URL's that is specified in the post. How long are you seeing this issue? Does the issue started to happen like after any firmware upgrade? Would like to rule out certain options to isolate the issue.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • RinconmikeRinconmike Newbie ✭
    edited June 15

    I have been seeing this issue since 6/4 and opened a case. The issue happened when I went into the Client SSL Show Connection Failures list, clicked the check to add the common name, and then added it. It added fine. a day or so later I went to delete it since I wanted to just add .acronis.com and it would not allow it to delete. Attached are the screen shots. One with several of these added and one with the error.

    Any ideas? So far Support solution is to reset and start over which I do not want to do.



  • RinconmikeRinconmike Newbie ✭

    Any further ideas on this?

  • SaravananSaravanan Moderator

    Hi @RINCONMIKE,

    I tested this behavior on couple of other devices too and the feature works flawlessly. Have you tried restarting the SonicWall once and attempted to delete? If restart doesn't work, the last option is to factory reset the box to rule out the settings issue if any.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • RinconmikeRinconmike Newbie ✭
    I have rebooted a few times. Still cannot delete. I’d rather not factory reset. Obviously that will work since it will clear the custom common name exclusions and everything else.
    Did you add those entries from under the failure list and check the box and hit exclude or just manually add? Is there a way to default just the common name exclusion list? My guess it is a bug on adding from the failure list.
  • RinconmikeRinconmike Newbie ✭

    If I manually add the name, it adds. The list shows what looks like two identical entries. I can then delete the one added. But the one that was added from the failure list still will not delete. It is a bug and stinks that the sonicwall solution is to factory reset!

  • RinconmikeRinconmike Newbie ✭

    I have had a case open with support since 6/4. They still do not have any answers.

  • RinconmikeRinconmike Newbie ✭

    Still no help from support on this.

    Anyone know when the next firmware update will be released? Maybe that will fix the buigs.

  • RinconmikeRinconmike Newbie ✭

    @preston

    After deleting the common names, I added both

    acronsi.com

    .acronis.com

    and these items are showing up as failures. Same as before.

    cloud-fes-au1.acronis.com:44445

    cloud-fes-eu1.acronis.com:44445

    cloud-fes-eu2.acronis.com:44445

    cloud-fes-jp2.acronis.com:44445

    cloud-fes-us2.acronis.com:44445

    I thought if I add the domain, it will take care of all items.

    Also, when adding a domain, is a period to be used before or not? Some of the default ones have it and some do not. I added both ways.

  • prestonpreston Enthusiast ✭✭

    Hi @Rinconmike , create an address object instead for *.acronis.com, then create an outbound firewall rule to allow and disable DPI-SSL Client in the rule using the *.acronis.com as the destination, another option prefered option as it uses less CPU overhead is add TCP 44445 as a service object put this in a new group like DPI-SSL Exclusion Group with any other ports you wish to exclude and then in the DPI-SSL Objects / exclusions add this service group as the DPI-SSL Objects act as an AND so you can have excluded addresses,Objects or Users/Groups.

  • RinconmikeRinconmike Newbie ✭

    thanks. the *.acronis does not work, It does not allow that to be entered.

    Also, even though I added like

    cloud-fes-au1.acronis.com:44445

    it looks like it is still being blocked and shows up again as a connection failure.

    Maybe I need to go back to adding by the check box and Exclude. I will look into the other methods you posted.

  • prestonpreston Enthusiast ✭✭

    HI @Rinconmike , I tend to find excluding by Address Object or Port with firewall rules the best method of exclusion rather than common name exclusions.

    if you add the TCP 44445 ( I'm presuming it is TCP ) exclusion you won't need the common name entries.

Sign In or Register to comment.