Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 26 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 32979 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS errors accessing web sites from SSL VPN after v15 to v16 upgrade

MiroslavCacija

After upgrade form latest v15 to latest v16 ( SFOS 16.01.1 ), when connected remotely via SSL VPN, and trying to access any HTTPS site in remote network, I'm getting errors and cannot access any site. HTTPS scanning is disabled for VPN connections, but Sophos still intercepts HTTPS traffic when comming from VPN. Am I missing something ?

In v15 this was working normally, never had a problem with this.



This thread was automatically locked due to age.
Parents
  • 0

    Miroslav,

    can you share a screenshot of the error message you get? Also can you share the policy rule applied to SSL VPN users?

    Thanks

  • 0 in reply to lferrara

    Before the upgrade, when connected to SSL VPN, I could browse normally RD WEB ( or any HTTPS web on the remote network ), now I'm getting error, because Sophos is intercepting HTTPS traffic:

     

     

  • 0 in reply to MiroslavCacija

    Thanks!

    Can you share a tcpdump filtered for port 443 and SSL VPN client IP?

    Regards

  • 0 in reply to lferrara

    Sorry, how can I do this ? Never used it before ...

    Thx !

  • 0 in reply to MiroslavCacija

    Miroslav,

    connect to XG console frm Web or Putty, choose option 4 and type:

    tcpdump ‘host ip and port 443’

    Thanks

  • 0 in reply to lferrara

    console> tcpdump "host 10.81.234.6 and port 443"
    tcpdump: Starting Packet Dump
    10:11:10.317186 tun0, IN: IP 10.81.234.6.55420 > 172.16.3.71.443: Flags [S], seq 1831438675, win 65535, options [mss 1340,nop,wscale 3,nop,nop,sackOK], length 0
    10:11:10.317255 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55420: Flags [S.], seq 41718827, ack 1831438676, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    10:11:10.338872 tun0, IN: IP 10.81.234.6.55420 > 172.16.3.71.443: Flags [.], ack 1, win 32768, length 0
    10:11:10.340042 tun0, IN: IP 10.81.234.6.55420 > 172.16.3.71.443: Flags [P.], ack 1, win 32768, length 232
    10:11:10.340059 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55420: Flags [.], ack 233, win 237, length 0
    10:11:10.616718 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55420: Flags [.], ack 233, win 237, length 1340
    10:11:10.616727 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55420: Flags [.], ack 233, win 237, length 1340
    10:11:10.616731 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55420: Flags [P.], ack 233, win 237, length 2
    10:11:10.639690 tun0, IN: IP 10.81.234.6.55420 > 172.16.3.71.443: Flags [.], ack 1341, win 32768, length 0
    10:11:10.640235 tun0, IN: IP 10.81.234.6.55420 > 172.16.3.71.443: Flags [.], ack 2681, win 32768, length 0
    10:11:10.640700 tun0, IN: IP 10.81.234.6.55420 > 172.16.3.71.443: Flags [.], ack 2683, win 32767, length 0
    10:11:10.707621 tun0, IN: IP 10.81.234.6.55420 > 172.16.3.71.443: Flags [F.], seq 233, ack 2683, win 32767, length 0
    10:11:10.707706 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55420: Flags [F.], seq 2683, ack 234, win 237, length 0
    10:11:10.709607 tun0, IN: IP 10.81.234.6.55421 > 172.16.3.71.443: Flags [S], seq 3670170337, win 65535, options [mss 1340,nop,wscale 3,nop,nop,sackOK], length 0
    10:11:10.709663 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55421: Flags [S.], seq 2402212776, ack 3670170338, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    10:11:10.729120 tun0, IN: IP 10.81.234.6.55420 > 172.16.3.71.443: Flags [.], ack 2684, win 32767, length 0
    10:11:10.731214 tun0, IN: IP 10.81.234.6.55421 > 172.16.3.71.443: Flags [.], ack 1, win 32768, length 0
    10:11:10.732186 tun0, IN: IP 10.81.234.6.55421 > 172.16.3.71.443: Flags [P.], ack 1, win 32768, length 232
    10:11:10.732211 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55421: Flags [.], ack 233, win 237, length 0
    10:11:10.927134 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55421: Flags [.], ack 233, win 237, length 1340
    10:11:10.927139 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55421: Flags [.], ack 233, win 237, length 1340
    10:11:10.927144 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55421: Flags [P.], ack 233, win 237, length 2
    10:11:10.950557 tun0, IN: IP 10.81.234.6.55421 > 172.16.3.71.443: Flags [.], ack 1341, win 32768, length 0
    10:11:10.951243 tun0, IN: IP 10.81.234.6.55421 > 172.16.3.71.443: Flags [.], ack 2681, win 32768, length 0
    10:11:10.951676 tun0, IN: IP 10.81.234.6.55421 > 172.16.3.71.443: Flags [.], ack 2683, win 32767, length 0
    10:11:10.967684 tun0, IN: IP 10.81.234.6.55421 > 172.16.3.71.443: Flags [F.], seq 233, ack 2683, win 32767, length 0
    10:11:10.967823 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55421: Flags [F.], seq 2683, ack 234, win 237, length 0
    10:11:10.989920 tun0, IN: IP 10.81.234.6.55421 > 172.16.3.71.443: Flags [.], ack 2684, win 32767, length 0
    10:11:14.149935 tun0, IN: IP 10.81.234.6.55422 > 172.16.3.71.443: Flags [S], seq 144579324, win 65535, options [mss 1340,nop,wscale 3,nop,nop,sackOK], length 0
    10:11:14.149984 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55422: Flags [S.], seq 1832363907, ack 144579325, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    10:11:14.171969 tun0, IN: IP 10.81.234.6.55422 > 172.16.3.71.443: Flags [.], ack 1, win 32768, length 0
    10:11:14.174074 tun0, IN: IP 10.81.234.6.55422 > 172.16.3.71.443: Flags [P.], ack 1, win 32768, length 232
    10:11:14.174092 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55422: Flags [.], ack 233, win 237, length 0
    10:11:14.507834 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55422: Flags [.], ack 233, win 237, length 1340
    10:11:14.507846 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55422: Flags [.], ack 233, win 237, length 1340
    10:11:14.507851 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55422: Flags [P.], ack 233, win 237, length 2
    10:11:14.531941 tun0, IN: IP 10.81.234.6.55422 > 172.16.3.71.443: Flags [.], ack 1341, win 32768, length 0
    10:11:14.532505 tun0, IN: IP 10.81.234.6.55422 > 172.16.3.71.443: Flags [.], ack 2681, win 32768, length 0
    10:11:14.533439 tun0, IN: IP 10.81.234.6.55422 > 172.16.3.71.443: Flags [.], ack 2683, win 32767, length 0
    10:11:14.554364 tun0, IN: IP 10.81.234.6.55422 > 172.16.3.71.443: Flags [F.], seq 233, ack 2683, win 32767, length 0
    10:11:14.556015 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55422: Flags [F.], seq 2683, ack 234, win 237, length 0
    10:11:14.559606 tun0, IN: IP 10.81.234.6.55423 > 172.16.3.71.443: Flags [S], seq 252560853, win 65535, options [mss 1340,nop,wscale 3,nop,nop,sackOK], length 0
    10:11:14.559662 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55423: Flags [S.], seq 1926072159, ack 252560854, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    10:11:14.578396 tun0, IN: IP 10.81.234.6.55422 > 172.16.3.71.443: Flags [.], ack 2684, win 32767, length 0
    10:11:14.581615 tun0, IN: IP 10.81.234.6.55423 > 172.16.3.71.443: Flags [.], ack 1, win 32768, length 0
    10:11:14.583156 tun0, IN: IP 10.81.234.6.55423 > 172.16.3.71.443: Flags [P.], ack 1, win 32768, length 232
    10:11:14.583179 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55423: Flags [.], ack 233, win 237, length 0
    10:11:14.894134 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55423: Flags [.], ack 233, win 237, length 1340
    10:11:14.894149 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55423: Flags [.], ack 233, win 237, length 1340
    10:11:14.894153 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55423: Flags [P.], ack 233, win 237, length 2
    10:11:14.917214 tun0, IN: IP 10.81.234.6.55423 > 172.16.3.71.443: Flags [.], ack 1341, win 32768, length 0
    10:11:14.917725 tun0, IN: IP 10.81.234.6.55423 > 172.16.3.71.443: Flags [.], ack 2681, win 32768, length 0
    10:11:14.918131 tun0, IN: IP 10.81.234.6.55423 > 172.16.3.71.443: Flags [.], ack 2683, win 32767, length 0
    10:11:14.935762 tun0, IN: IP 10.81.234.6.55423 > 172.16.3.71.443: Flags [F.], seq 233, ack 2683, win 32767, length 0
    10:11:14.935832 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55423: Flags [F.], seq 2683, ack 234, win 237, length 0
    10:11:14.939750 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [S], seq 4037583097, win 65535, options [mss 1340,nop,wscale 3,nop,nop,sackOK], length 0
    10:11:14.939802 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [S.], seq 589145162, ack 4037583098, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    10:11:14.957792 tun0, IN: IP 10.81.234.6.55423 > 172.16.3.71.443: Flags [.], ack 2684, win 32767, length 0
    10:11:14.961521 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [.], ack 1, win 32768, length 0
    10:11:14.962301 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [P.], ack 1, win 32768, length 232
    10:11:14.962317 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [.], ack 233, win 237, length 0
    10:11:15.279853 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [.], ack 233, win 237, length 1340
    10:11:15.279867 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [.], ack 233, win 237, length 1340
    10:11:15.279872 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [P.], ack 233, win 237, length 2
    10:11:15.303865 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [.], ack 1341, win 32768, length 0
    10:11:15.304235 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [.], ack 2681, win 32768, length 0
    10:11:15.304428 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [.], ack 2683, win 32767, length 0
    10:11:15.321272 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [P.], ack 2683, win 32767, length 126
    10:11:15.321283 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [.], ack 359, win 237, length 0
    10:11:15.321544 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [P.], ack 359, win 237, length 258
    10:11:15.322941 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [P.], ack 2683, win 32767, length 493
    10:11:15.323026 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [P.], ack 852, win 245, length 280
    10:11:15.323147 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [P.], ack 852, win 245, length 31
    10:11:15.323274 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [F.], seq 3252, ack 852, win 245, length 0
    10:11:15.344147 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [.], ack 2941, win 32735, length 0
    10:11:15.345097 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [.], ack 3221, win 32700, length 0
    10:11:15.345732 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [F.], seq 852, ack 3221, win 32700, length 0
    10:11:15.345746 tun0, OUT: IP 172.16.3.71.443 > 10.81.234.6.55424: Flags [.], ack 853, win 245, length 0
    10:11:15.346176 tun0, IN: IP 10.81.234.6.55424 > 172.16.3.71.443: Flags [R.], seq 853, ack 3252, win 0, length 0

  • 0 in reply to MiroslavCacija

    Thanks.

    Is your HTTPS server 172.16.3.71?

Reply Children
No Data