This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
abihsot__
Advisor
‎2019-02-06 02:35 AM

Mobile Access portal problem

Hi Guys,

Have anyone encountered such error in trace logs between gateway and backend server:

[LOGGER_CURL_INFO/] |11:25:28.998| TLSv1.2 (OUT), TLS alert, Server hello (2):
[LOGGER_CURL_INFO/] |11:25:28.998| SSL read: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac, errno 0
[LOGGER_CURL_INFO/] |11:25:28.998| Closing connection 0
[LOGGER_CURL_INFO/] |11:25:28.998| TLSv1.2 (OUT), TLS alert, Client hello (1):

This happens on both R80.10 and R80.20 any JHF.

Gateway is a VM on esx.

Due to this error some files are partially downloaded, hence the webpage is broken.

7 Replies
PhoneBoy
Admin
Admin
‎2019-02-08 02:51 PM

The error suggests the SSL/TLS negotiation is failing.

What happens when you access the site in question without going through MAB?

Can you validate the TLS version used by your browser?

0 Kudos
abihsot__
Advisor
‎2019-02-10 11:18 PM
In response to PhoneBoy

Hi Dameon,

Thanks for reply. Going directly to website - no problem. Connection is established using TLS1.2. By the way, forgot to mention:

* Using R77.30 works fine

* R80.10 MAB - I get this error with multiple web apps. This suggests it is not specific to that particular website.

0 Kudos
abihsot__
Advisor
‎2019-02-10 11:48 PM
In response to abihsot__

During the event in tcpdump I can see rst flag is sent by gateway. But why?

I have done so far:

* changed TLS1.2 ciphers

* downgraded to TLS1.1 and TLS1.0

* Installed GW in different VLAN.

* tested with all vmware network adapter types

PhoneBoy
Admin
Admin
‎2019-02-11 08:58 AM
In response to abihsot__

I would open a TAC case so we can troubleshoot this.

How To Open a Case with TAC and/or Account Services

0 Kudos
abihsot__
Advisor
‎2019-02-11 10:42 PM
In response to PhoneBoy

Been there too Smiley Happy case is open for months now with almost no progress Smiley Sad I was thinking giving a shot here

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-12 09:04 AM
In response to abihsot__

Please send me the SR in a Private Message.

abihsot__
Advisor
‎2019-08-06 08:53 AM
In response to PhoneBoy

This issue definitely shortened my life expectancy 😄 Overall TAC help was very poor. The ticket lasted almost a year 😞

Finally after many experiments the only thing which helped is the gateway with 3.10 kernel...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events