Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Server 2019 and DPI-SSL

Hi,

We have DPI-SSL enabled on our NSA3650 and is working well.

All Microsoft 2016 servers and Windows 10 PCs will use the SonicWALL 2048 bit cert and decrypt https sites.

However, we have configured a couple of 2019 servers which fail to establish connections to https websites.

We have tried Edge, Chrome and Firefox - all fail with "Secure Connection Failed" messages.

We use a DEAG group which is used to bypass DPI-SSL for trusted FQDN sites. These excluded sites are accessible to the 2019 Servers.

If we disable DPI-SSL on the NSA3650, all https sites are accessible to the 2019 Servers.

I have used IIS Crypto to check which cipher suites are used.

Anyone else on this forum having issues with Server 2019 and DPI-SSL?

Thanks

Category: Firewall Security Services
Reply

Answers

  • MicahMicah SonicWall Employee

    Hey @GrahamBarnes, I've not seen any discussions with the issue that you are facing. @John_Lasersohn do you have any thoughts on this?

    @micah - SonicWall's Self-Service Sr. Manager

  • Hi @GRAHAMBARNES,

    Looks like the issue is pertained only to 2019 server. I'll have this tested on my end and revert back. In the mean-time you could check the connection failures errors for website accesses from 2019 server. This may pin point the cause of the failure.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hi @Saravanan

    The image below shows what happens when the 2019 server attempts to access www.ebay.co.uk and www.amazon.co.uk...


    On a working Windows 2016 RDS server, we get this...

    On the Windows 2019 RDS Server we get...

    I hope this helps.

    Many Thanks

    Graham

  • Hi @GRAHAMBARNES,

    Thanks for trying out the suggestion and sharing the screenshots.

    Unfortunately, I couldn't reproduce this issue on my end. I checked internally and confirmed there are no similar issue reported already. With DPI-SSL, there have been some problems with website loading and website accesses previously and the fix is added to the firmware version 6.5.4.6. Could you please confirm if your SonicWall appliance is running on this firmware version?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hi @Saravanan

    The SonicWALL is running on 6.5.4.6-79n

    Server 2019 version is 1809 OS build 17763.1432

    The Server 2019 is also showing symptoms of poor webpage loading when accessing websites which are excluded from DPI-SSL inspection such as Sonicwall.com

    This is your webpage after two minutes...

    Disabling DPI-SSL, the Web page then loads instantly.

    Regards,

    Graham

  • Hi @GRAHAMBARNES,

    Thanks for your confirmation. AFA I researched, looks like 2 other cases for similar issue specific to 2019 server website access failing with DPI-SSL enabled is reported. Unfortunately, I couldn't track the activity on those cases. My suggestion to you is, to contact our support team and get this issue reported. We have to analyze the packet captures for the failing websites from 2019 server along with GUI logs. Post analyzing the debug files, necessary remedy would be given.


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Thank you for assisting, case is logged with SonicWALL Support.

    Many Thanks

    Graham

  • You are Welcome @GRAHAMBARNES.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • I can give you my idea @Micah - I think there is some chance that some security settings on W2K19 Server might be part of the issue. Generally speaking, servers don't make good clients :-) I do not mean ones specific to Internet Explorer since you have tried many web browsers and seen problems with all.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @GrahamBarnes

    The log message is generated when the SSL Handshake between the client and the SonicWall fails.

    The error # indicates that the failure is due to the SSL / TLS Protocol version suggested by the client (in its Client Hello) was rejected by the SonicWall. The SSL / TLS version suggested by the client could be higher or lower than what SonicWall supports. 

    In firmware versions SonicOS 5.9.1.1 and SonicOS 6.2.5.3 and above, TLSv1.0 and SSLv3.0 are disabled by default. The browser used for logging into the SonicWall may not support TLSv1.1 or TLSv1.2 or the said protocols are disabled. 

    Ideally, no changes need to be done in the SonicWall. The client browser must have TLSv1.1 and TLSv1.2 enabled. All latest browsers have this enabled by default.

  • Thanks for your comments @Ajishlal @John_Lasersohn

    I do have my suspicions that it is the W2k19 servers.

    I will contact SonicWALL Support tomorrow and follow up my Case.

  • I worked with SonicWALL Support and compared Packet Capture data from a working W2K16 server and the W2K19 server.

    What is not happening on the W2K19 server is the final Client Key Exchange, Change Cipher Spec, Encrypted Handshake message.

    There just seems to be several TCP Retransmissions.

    So this has taken me on a different troubleshooting path.

    Thinking about this further, all servers are virtual servers running on a 2019 HyperV Cluster.

    I have since created a physical W2K19 server on a HP Proliant DL380 and this works!

    I'll carry on investigating.


    Thanks,

    Graham

  • @GRAHAMBARNES - Thanks for sharing the details.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.