cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Sried
Iron

CP R.80.30 Not allowed SSL version

Jump to solution

Hi Everyone,

im currently encountering an issue with several drops of  different sevices being rejected with the message Not allowed SSL version.

I checked the DB settings: ssl_min_ver is set to sslv3 while max is set to tls1.2 . 

I also created a seperate rule for ssl inspect like described in sk34182., yet i still receive the error.

 

Currently it blocks me from initiating a rdp session within an existing Site 2 Site VPN Connection.

Remote_Desktop_Protocol (TCP/3389)

Reject

Not allowed SSL version

 

So far i was not able to find any other sk article regarding this issue,

Has anyone else encountered this problem?

 

0 Kudos
1 Solution

Accepted Solutions
Sried
Iron

Re: CP R.80.30 Not allowed SSL version

Jump to solution

Hi everyone,

 

it turned out that someone configured multiple Services with active protocol signature(TCP,UDP,) under R77.80.

But instead of matching them to the recommended port (e.g. 443 TCP) they were matched for any port. This led to the error that any tcp / UDP traffic which was encypted matched for those services (which were missing in the security and application policy rules). The issue became visible after the update fron 77.30 to 80.20 .

 

As a solution, i deleted both services. 

Thx for all the help

0 Kudos
12 Replies

Re: CP R.80.30 Not allowed SSL version

Jump to solution
0 Kudos

Re: CP R.80.30 Not allowed SSL version

Jump to solution

If that does not help, you can try HTTPSi bypass rule for RDP specifically

0 Kudos
Sried
Iron

Re: CP R.80.30 Not allowed SSL version

Jump to solution

Hi Valeri,

 

i tried the explicit https bypass rule for RDP, unfortunately the behavior is still the same.

I also tried your link, but i get the message: Solution could not be found in the system.

 

Yet i found a TCP service which could be a remnant from R77.30 

Protocol: SSL_V3

Match By Port:  Any  

Protocol Signature: checked

 

Could it be that the service is mismatched since it fulfills the criteria for this object?

 

 

 

 

 

0 Kudos

Re: CP R.80.30 Not allowed SSL version

Jump to solution

Yes, you might need to set up a _new_ RDP service. One inherited from R77.30 is no good

0 Kudos
Admin
Admin

Re: CP R.80.30 Not allowed SSL version

Jump to solution
HTTPS Inspection is only for web traffic, it shouldn't impact RDP.
I suspect this is getting blocked by IPS which does have protections that block older SSL versions.
Can you provide a screenshot of the log card? (Feel free to mask sensitive details)
0 Kudos
Sried
Iron

Re: CP R.80.30 Not allowed SSL version

Jump to solution

Hi,

i attached the log for the RDP drop.

 

 

0 Kudos

Re: CP R.80.30 Not allowed SSL version

Jump to solution

The action is bypass, so it is not the policy. Which HFA are you running at? With R80.30 you need at least Jumbo 50

0 Kudos

Re: CP R.80.30 Not allowed SSL version

Jump to solution

@PhoneBoy I am afraid you are mistaken, please check the SK I have referenced above 

0 Kudos
Sried
Iron

Re: CP R.80.30 Not allowed SSL version

Jump to solution

Hi,

 

i just checked the version of the cluster.

Sorry, it seems i was mistake. R80.30 is the Console.

Currently installed:

HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

 

 

0 Kudos
Admin
Admin

Re: CP R.80.30 Not allowed SSL version

Jump to solution
There is a specific hotfix you will need to install, but it's on top of a different jumbo take (47): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Recommend engaging with the TAC.
0 Kudos
Admin
Admin

Re: CP R.80.30 Not allowed SSL version

Jump to solution
Huh, you learn something new every day. 😁
0 Kudos
Sried
Iron

Re: CP R.80.30 Not allowed SSL version

Jump to solution

Hi everyone,

 

it turned out that someone configured multiple Services with active protocol signature(TCP,UDP,) under R77.80.

But instead of matching them to the recommended port (e.g. 443 TCP) they were matched for any port. This led to the error that any tcp / UDP traffic which was encypted matched for those services (which were missing in the security and application policy rules). The issue became visible after the update fron 77.30 to 80.20 .

 

As a solution, i deleted both services. 

Thx for all the help

0 Kudos