Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 30 subscribers
  • Views 2361 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DPI Problem "Dropped due to TLS engine error: FLOW_TIMEOUT[5]"

Samuel Heinrich

our customer has a production machine, which tries to connect via proprietary SSLVPN to a remote server via IP Address. 

there is no webfiler enabled on the firewall rule

and the following exceptions are in place:

excluded ip address via webfilter exceptions

as soon as DPI is turned on, the machine is unable to connect to the remote server. 

From the DPI log I can see the following entry:

SSL/TLS inspection
2021-06-24 14:38:59
messageid="19006" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="" src_ip="10.*.*.*" dst_ip="194.*.*.*" user_group="" src_country="R1" dst_country="DEU" src_port="47520" dst_port="443" app_name="" app_id="0" category="IPAddress" category_id="83" con_id="803011456" rule_id="1" profile_id="1" rule_name="Exclusions by website or category" profile_name="Maximum compatibility" bitmask="" key_type="KEY_TYPE__UNKNOWN" fingerprint="" resumed="0" cert_chain_served="TRUE" cipher_suite="" sni="194.*.*.*" tls_version="Unknown" reason="Dropped due to TLS engine error: FLOW_TIMEOUT[5]" exception="av,https,validation,policy,sandstorm" message=""

even though it seems like the traffic matched the exception rules. 

how can I bypass the DPI at all? 



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to rfcat_vk

    "pp exception in the tls logistics"

    could you please explain where exactly or what exactly this is? 

    "or turn on the http proxy with allow all in the web policy."

    makes sense, turn on legacy webproxy, so that DPI is bypassed, then use the regular exceptions to prevent decrypting..   

Children
  • 0 in reply to Samuel Heinrich

    The DPI is actually used for everything, if turned on. There seems to be a reason, your application is failing with a DPI enabled. Flow Timeout sounds like the application / server is not answering, even if we are not manipulating the packet. 

    If you check via tcpdump, do you see the the timeouts? 

    PS: Be sure, the application is not using other services after this IP and those are not excluded. 

    Disable all apps on the client, filter on the Logviewer to the client IP and switch to TLS/SSL. Then reopen the app and check, which servers etc. are opened. 

  • 0 in reply to Samuel Heinrich

    There is a typing error in my post, ignore and pp, should be an.

    you do not need an exception in the web proxy if you do not tick decrypt and scan.

    Ian