This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridged VLAN - RDP - SSL Engine Issue - Server did not respond to client hello

I have a XG running 18.5.1 MR1.

This XG has 2 physical interface bridged together with multiple VLANs.

Each of these connections go to a managed switch via said Bridged(Trunk) connections.

I have a Server in VLAN 5 that is connect to one switch on one of the bridged physical connections and I have a client on VLAN 5 connect to a switch on the other physical bridged connection.

Traffic seems to work Except RDP traffic.

I have excluded said Server from SSL Decryption but in the SSL Log viewer I still see Error Server did not respond to client hello.

UPDATE 2021-10-20: I have disabled the SSL/TLS engine and then RDP started working. I re-enabled and it stops it from working. I suspect something isnt being dealt with correctly with the bridged VLAN and the SSL Exception rules.

Any ideas?

EDIT:

Also to note going from VLAN 6 to vLAN 5 from another client works.

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 3 years ago

Can you check in the packet capture, if the routing is working?
Cancel
Vote Up 0 Vote Down

Cancel
0 CdnWolf over 3 years ago in reply to LuCar Toni

Any idea of why when I disable the TLS/SSL engine everything works for inter VLAN traffic?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to CdnWolf

Its odd to me, you have such an issue. Do you have a payed version and can create a Support Case? Because we had in the past some issues with DPI+RDP but they are all fixed, as far as i know.

Try to follow the debug session: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/118753/sophos-xg-firewall-v18-troubleshooting-problems-with-the-dpi-engine
Cancel
Vote Up 0 Vote Down

Cancel
0 CdnWolf over 3 years ago in reply to LuCar Toni

I read this over and double checked my config but as far as I can see it seems to be a bug. Unfortunately i do not have a paid version.

It only happens on RDP traffic going across a bridged vlan interface. Even when I configure traffic to completely bypass the TLS/SSL decryption it still fails with the error "Server did not respond to client hello" in the SSL/TLS Inspection log.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 CdnWolf over 3 years ago in reply to LuCar Toni

I read this over and double checked my config but as far as I can see it seems to be a bug. Unfortunately i do not have a paid version.

It only happens on RDP traffic going across a bridged vlan interface. Even when I configure traffic to completely bypass the TLS/SSL decryption it still fails with the error "Server did not respond to client hello" in the SSL/TLS Inspection log.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data