TZ670 Cannot Delete a Custom Common Name from DPI-SSL Client
Rinconmike
Enthusiast ✭✭
TZ670 with SonicOS 7.0.1-R1456
I added these custom names and cannot delete
cloud-fes-us2.acronis.com:44445
cloud-fes-eu1.acronis.com:44445
I added these from the show connection failure tab.
On trying to delete I get this error message
"Command 'no common-name cloud-fes-eu1.acronis.com%3A44445 action exclude disable-authenticate-server' does not match"
I can delete others like .microsoft.com and .acronis.com
I want to delete the long ones and just use .acronis.com
Any ideas?
Best Answer
-
CORRECT ANSWERRinconmike
Enthusiast ✭✭
This was answered here:
by @preston
go in via SSH, put them in speech marks as below, you should be able to delete them then
conf
dpi-ssl client
(config-client-dpi-ssl)# no common-name "cloud-fes-us2.acronis.com:44445"
(config-client-dpi-ssl)# no common-name "cloud-fes-eu1.acronis.com:44445"
exit
commit
F.Y.I. you don't need to add the port numbers after the common name entry
If you have a support case open regarding this you should add the workaround to it so that support are aware
0
Answers
Hi @RINCONMIKE,
Thank you for visiting SonicWall Community.
I just tested this scenario on my TZ 670 and the delete works great for the same URL's that is specified in the post. How long are you seeing this issue? Does the issue started to happen like after any firmware upgrade? Would like to rule out certain options to isolate the issue.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
I have been seeing this issue since 6/4 and opened a case. The issue happened when I went into the Client SSL Show Connection Failures list, clicked the check to add the common name, and then added it. It added fine. a day or so later I went to delete it since I wanted to just add .acronis.com and it would not allow it to delete. Attached are the screen shots. One with several of these added and one with the error.
Any ideas? So far Support solution is to reset and start over which I do not want to do.
Any further ideas on this?
Hi @RINCONMIKE,
I tested this behavior on couple of other devices too and the feature works flawlessly. Have you tried restarting the SonicWall once and attempted to delete? If restart doesn't work, the last option is to factory reset the box to rule out the settings issue if any.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Did you add those entries from under the failure list and check the box and hit exclude or just manually add? Is there a way to default just the common name exclusion list? My guess it is a bug on adding from the failure list.
If I manually add the name, it adds. The list shows what looks like two identical entries. I can then delete the one added. But the one that was added from the failure list still will not delete. It is a bug and stinks that the sonicwall solution is to factory reset!
I have had a case open with support since 6/4. They still do not have any answers.
Still no help from support on this.
Anyone know when the next firmware update will be released? Maybe that will fix the buigs.
@preston
After deleting the common names, I added both
acronsi.com
.acronis.com
and these items are showing up as failures. Same as before.
cloud-fes-au1.acronis.com:44445
cloud-fes-eu1.acronis.com:44445
cloud-fes-eu2.acronis.com:44445
cloud-fes-jp2.acronis.com:44445
cloud-fes-us2.acronis.com:44445
I thought if I add the domain, it will take care of all items.
Also, when adding a domain, is a period to be used before or not? Some of the default ones have it and some do not. I added both ways.
Hi @Rinconmike , create an address object instead for *.acronis.com, then create an outbound firewall rule to allow and disable DPI-SSL Client in the rule using the *.acronis.com as the destination, another option prefered option as it uses less CPU overhead is add TCP 44445 as a service object put this in a new group like DPI-SSL Exclusion Group with any other ports you wish to exclude and then in the DPI-SSL Objects / exclusions add this service group as the DPI-SSL Objects act as an AND so you can have excluded addresses,Objects or Users/Groups.
thanks. the *.acronis does not work, It does not allow that to be entered.
Also, even though I added like
cloud-fes-au1.acronis.com:44445
it looks like it is still being blocked and shows up again as a connection failure.
Maybe I need to go back to adding by the check box and Exclude. I will look into the other methods you posted.
HI @Rinconmike , I tend to find excluding by Address Object or Port with firewall rules the best method of exclusion rather than common name exclusions.
if you add the TCP 44445 ( I'm presuming it is TCP ) exclusion you won't need the common name entries.