SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  TLS on https didn't reply the hello from server.

    Posted 03-18-2018 21:06

    I have a problem regarding to the connection for transit the https traffic. We've attempt do dump using PCAP by setting up the datapath-debug. The following are the result of PCAP.

    TCP dump, failed TLS.TCP dump, failed TLS.

    At this point the source host send the hello packet to the server. But it seems the server didn't reply hello packet to the client. The following should be depicts of successful TLS connection.

    tcpdump-success.jpeg

    Is there something not configured on SRX?



  • 2.  RE: TLS on https didn't reply the hello from server.

    Posted 03-19-2018 02:57

    Does the policy that permits the traffic have deep insprection or decryption enabled?

     

    If so these may be doing something unexpected.  If not, then there is nothing the SRX is doing to the stream that would affect the transaction.

     



  • 3.  RE: TLS on https didn't reply the hello from server.

    Posted 03-19-2018 15:49

    We have no SSL inspection enabled. Can you tell me how to check the decryption on SRX?

     

    Please note, the following are the valid session regarding to my first post.The destination host might not the same due the source host randomizes the IP address based on their service.

    valid session on https and TLSvalid session on https and TLS

     



  • 4.  RE: TLS on https didn't reply the hello from server.
    Best Answer

    Posted 03-20-2018 03:14

    We can see if the content of the policy has any references to the inspection engines.

     

    show configuration security policy from-zone AAA to-zone BBB policy Forti_Webservice

     

    look for application-services utm-policy

    or : application-firewall

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/utm-content-filtering-utm-policy-to-security-policy-attaching-cli.html

     

    SSL decryption is activated in the policy as well using ssl-proxy

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ssl-proxy-workflow-configuring.html

     

    If none of these are active then the session is being permitted and not manipulated so the issue will be outside the SRX.

     



  • 5.  RE: TLS on https didn't reply the hello from server.

    Posted 03-20-2018 21:33

    We don't use utm-policy or ssl-proxy configured on the security policy. Just simple permits the connection.

    https security policy.https security policy.then would be as you said, the problem might the outside of SRX.

     



  • 6.  RE: TLS on https didn't reply the hello from server.

    Posted 03-21-2018 03:10

    Right there is no inspection present on this policy that would drop some packets in the stream then.

     



  • 7.  RE: TLS on https didn't reply the hello from server.

    Posted 03-21-2018 17:12

    Thanks, the problem just solved. The host tcp traffic is encrypted by SSL. Then we use transit toward the ssl proxy server to make it able worked well.