Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sried
Participant
Jump to solution

CP R.80.30 Not allowed SSL version

Hi Everyone,

im currently encountering an issue with several drops of  different sevices being rejected with the message Not allowed SSL version.

I checked the DB settings: ssl_min_ver is set to sslv3 while max is set to tls1.2 . 

I also created a seperate rule for ssl inspect like described in sk34182., yet i still receive the error.

 

Currently it blocks me from initiating a rdp session within an existing Site 2 Site VPN Connection.

Remote_Desktop_Protocol (TCP/3389)

Reject

Not allowed SSL version

 

So far i was not able to find any other sk article regarding this issue,

Has anyone else encountered this problem?

 

0 Kudos
1 Solution

Accepted Solutions
Sried
Participant

Hi everyone,

 

it turned out that someone configured multiple Services with active protocol signature(TCP,UDP,) under R77.80.

But instead of matching them to the recommended port (e.g. 443 TCP) they were matched for any port. This led to the error that any tcp / UDP traffic which was encypted matched for those services (which were missing in the security and application policy rules). The issue became visible after the update fron 77.30 to 80.20 .

 

As a solution, i deleted both services. 

Thx for all the help

View solution in original post

0 Kudos
12 Replies
_Val_
Admin
Admin
0 Kudos
_Val_
Admin
Admin

If that does not help, you can try HTTPSi bypass rule for RDP specifically

0 Kudos
Sried
Participant

Hi Valeri,

 

i tried the explicit https bypass rule for RDP, unfortunately the behavior is still the same.

I also tried your link, but i get the message: Solution could not be found in the system.

 

Yet i found a TCP service which could be a remnant from R77.30 

Protocol: SSL_V3

Match By Port:  Any  

Protocol Signature: checked

 

Could it be that the service is mismatched since it fulfills the criteria for this object?

 

 

 

 

 

0 Kudos
_Val_
Admin
Admin

Yes, you might need to set up a _new_ RDP service. One inherited from R77.30 is no good

0 Kudos
PhoneBoy
Admin
Admin
HTTPS Inspection is only for web traffic, it shouldn't impact RDP.
I suspect this is getting blocked by IPS which does have protections that block older SSL versions.
Can you provide a screenshot of the log card? (Feel free to mask sensitive details)
0 Kudos
Sried
Participant

Hi,

i attached the log for the RDP drop.

 

 

0 Kudos
_Val_
Admin
Admin

The action is bypass, so it is not the policy. Which HFA are you running at? With R80.30 you need at least Jumbo 50

0 Kudos
_Val_
Admin
Admin

@PhoneBoy I am afraid you are mistaken, please check the SK I have referenced above 

0 Kudos
Sried
Participant

Hi,

 

i just checked the version of the cluster.

Sorry, it seems i was mistake. R80.30 is the Console.

Currently installed:

HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

 

 

0 Kudos
PhoneBoy
Admin
Admin
There is a specific hotfix you will need to install, but it's on top of a different jumbo take (47): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Recommend engaging with the TAC.
0 Kudos
PhoneBoy
Admin
Admin
Huh, you learn something new every day. 😁
0 Kudos
Sried
Participant

Hi everyone,

 

it turned out that someone configured multiple Services with active protocol signature(TCP,UDP,) under R77.80.

But instead of matching them to the recommended port (e.g. 443 TCP) they were matched for any port. This led to the error that any tcp / UDP traffic which was encypted matched for those services (which were missing in the security and application policy rules). The issue became visible after the update fron 77.30 to 80.20 .

 

As a solution, i deleted both services. 

Thx for all the help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events