https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150523#M24465 <P>Hello, this description is from pcaps that I took from traffic that does work and other that does not work.</P> Thu, 09 Jun 2022 23:24:04 GMT CharlesLZ 2022-06-09T23:24:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150519#M24463 <P class="">Hello, I am currently with a Tshoot on two scenarios from LAN.</P><P class="">IP A:<SPAN>&nbsp;</SPAN><STRONG>Original IP</STRONG></P><P class="">IP B:<SPAN>&nbsp;</SPAN><STRONG>NAT IP</STRONG></P><P class="">IP C:<SPAN>&nbsp;</SPAN><STRONG>WebServer</STRONG></P><P class=""><STRONG>Scenario A that works:</STRONG></P><P class="">Flow:</P><P class="">IP A -&gt; IP C leng 517 (Client Hello TCP with TLS packet)</P><P class="">IP B -&gt; IP C leng 517 (Client Hello TCP with TLS packet)</P><P class="">IP C -&gt; IP A ackno 518 (Server Hello TCP with TLS packet)</P><P class="">IP C-&gt; IP B ackno 518 (Server Hello TCP with TLS packet)</P><P class="">At this point this is expected, and the user can open the browser and connect to the webserver from LAN over HTTPS 443.</P><P class="">&nbsp;</P><P class=""><STRONG>Scenario B does Not Work:</STRONG></P><P class="">Flow:</P><P class="">IP A -&gt; IP C leng 517 (Client Hello TCP with TLS packet)</P><P class="">IP B -&gt; IP C leng 517 (Client Hello TCP with TLS packet)</P><P class="">IP C -&gt; IP A ackno 518 (ONLY TCP ack packet ) no Server Hello response</P><P class="">IP C-&gt; IP B ackno 518 (ONLY TCP ack packet ) no Server Hello response</P><P class="">The user<SPAN>&nbsp;</SPAN><STRONG>can't</STRONG><SPAN>&nbsp;</SPAN>connect to this webserver from LAN, browser and over HTTPS 443.</P><P class="">On scenario B: I receive the acknowledge 518 without TLS Server Hello Payload.</P><P class="">Based on your experience could you infer this packet could be lost somewhere on the LAN network? or if Check Point Firewall at some point could block the Server Hello payload response?.</P><P class="">Could be something about Threat Prevention suite ? SecureXL?</P><P class="">I also created TCP State Exceptions but did not work.</P><P class="">I appreciate you response</P><P class="">Have a gr8 day!!!!!!!!!!!!</P> Thu, 09 Jun 2022 19:55:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150519#M24463 CharlesLZ 2022-06-09T19:55:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150522#M24464 <P>You would need to do packet captures when it works and when it does not work, so comparing those would probably show you the difference.</P> Thu, 09 Jun 2022 23:19:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150522#M24464 the_rock 2022-06-09T23:19:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150523#M24465 <P>Hello, this description is from pcaps that I took from traffic that does work and other that does not work.</P> Thu, 09 Jun 2022 23:24:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150523#M24465 CharlesLZ 2022-06-09T23:24:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150524#M24466 <P>Say if you took fw monitor, what do you see? Is it taking the same path?</P> Thu, 09 Jun 2022 23:24:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150524#M24466 the_rock 2022-06-09T23:24:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150948#M24564 <P>To understand this better, it is important to know, where you did the traffic capture. On the client, on the server, at the firewall itself, at the client side of the firewall, at the server side of the firewall?</P> <P>And, as the_rock already said: A fw monitor would be interesting. Please take care of SecureXL or use multiple -F arguments.</P> Wed, 15 Jun 2022 14:06:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/150948#M24564 Tobias_Moritz 2022-06-15T14:06:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/216727#M41286 <P>I also have the same issue.&nbsp;</P><P>Both boxes have the same config for httpd, and httpd_ssl. Even when I use the same browser, one gets a Server key and Server Hello back, the other one doesn't.&nbsp;</P><P>&nbsp;</P><P>I see a notification that the responses cannot be displayed. If anyone has figured out a fix, can you share? Thanks in advance.</P> Thu, 06 Jun 2024 13:34:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/216727#M41286 LThomas 2024-06-06T13:34:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/221454#M42414 <P>Facing similar issue. Website is working fine on ASA firewall. When ASA is replaced with Checkpoint it is not working. It has been observed that server hello is not received when Checkpoint is in place. We are using only firewall blade and no HTTPS inspection. Also tried disabling stateful inspection in global properties but no luck. Unable to find the cause of the issue as server team is not ready to troubleshoot the issue from their end as all other locations are able to connect to the same server. Also raised TAC but they are asking to get server team on call.</P><P>Any clue why server hello is not received when Checkpoint is in place.</P> Sat, 20 Jul 2024 09:09:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/221454#M42414 Rohit_Raut 2024-07-20T09:09:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/221455#M42415 <P>I can see why TAC is asking you that, I would be doing exactly the same thing. It would be useful to see working and non-working captures for comparison. Btw, when this fails, do you have any logs/debug you can share?</P> <P>Andy</P> Sat, 20 Jul 2024 11:16:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/221455#M42415 the_rock 2024-07-20T11:16:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/221978#M42548 <P>Kindly find attached pcap file. src: 192.168.226.55 dst:10.45.74.18.&nbsp; &nbsp;&nbsp;tcp.stream eq 9.</P> Fri, 26 Jul 2024 06:13:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/221978#M42548 Rohit_Raut 2024-07-26T06:13:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/221990#M42550 <P>Dont see any files...</P> Fri, 26 Jul 2024 11:30:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-TLS-Server-Hello-Response-issue-Networking-Troubleshoot/m-p/221990#M42550 the_rock 2024-07-26T11:30:04Z