This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CharlesLZ
Explorer
‎2022-06-09 12:52 PM

No TLS Server Hello Response issue - Networking Troubleshoot

Hello, I am currently with a Tshoot on two scenarios from LAN.

IP A: Original IP

IP B: NAT IP

IP C: WebServer

Scenario A that works:

Flow:

IP A -> IP C leng 517 (Client Hello TCP with TLS packet)

IP B -> IP C leng 517 (Client Hello TCP with TLS packet)

IP C -> IP A ackno 518 (Server Hello TCP with TLS packet)

IP C-> IP B ackno 518 (Server Hello TCP with TLS packet)

At this point this is expected, and the user can open the browser and connect to the webserver from LAN over HTTPS 443.

 

Scenario B does Not Work:

Flow:

IP A -> IP C leng 517 (Client Hello TCP with TLS packet)

IP B -> IP C leng 517 (Client Hello TCP with TLS packet)

IP C -> IP A ackno 518 (ONLY TCP ack packet ) no Server Hello response

IP C-> IP B ackno 518 (ONLY TCP ack packet ) no Server Hello response

The user can't connect to this webserver from LAN, browser and over HTTPS 443.

On scenario B: I receive the acknowledge 518 without TLS Server Hello Payload.

Based on your experience could you infer this packet could be lost somewhere on the LAN network? or if Check Point Firewall at some point could block the Server Hello payload response?.

Could be something about Threat Prevention suite ? SecureXL?

I also created TCP State Exceptions but did not work.

I appreciate you response

Have a gr8 day!!!!!!!!!!!!

0 Kudos
9 Replies
the_rock
Legend
Legend
‎2022-06-09 04:19 PM

You would need to do packet captures when it works and when it does not work, so comparing those would probably show you the difference.

0 Kudos
CharlesLZ
Explorer
‎2022-06-09 04:23 PM
In response to the_rock

Hello, this description is from pcaps that I took from traffic that does work and other that does not work.

0 Kudos
the_rock
Legend
Legend
‎2022-06-09 04:24 PM
In response to CharlesLZ

Say if you took fw monitor, what do you see? Is it taking the same path?

0 Kudos
Tobias_Moritz
Advisor
‎2022-06-15 07:06 AM
In response to CharlesLZ

To understand this better, it is important to know, where you did the traffic capture. On the client, on the server, at the firewall itself, at the client side of the firewall, at the server side of the firewall?

And, as the_rock already said: A fw monitor would be interesting. Please take care of SecureXL or use multiple -F arguments.

0 Kudos
LThomas
Explorer
‎2024-06-06 06:34 AM

I also have the same issue. 

Both boxes have the same config for httpd, and httpd_ssl. Even when I use the same browser, one gets a Server key and Server Hello back, the other one doesn't. 

 

I see a notification that the responses cannot be displayed. If anyone has figured out a fix, can you share? Thanks in advance.

0 Kudos
Rohit_Raut
Participant
‎2024-07-20 02:09 AM

Facing similar issue. Website is working fine on ASA firewall. When ASA is replaced with Checkpoint it is not working. It has been observed that server hello is not received when Checkpoint is in place. We are using only firewall blade and no HTTPS inspection. Also tried disabling stateful inspection in global properties but no luck. Unable to find the cause of the issue as server team is not ready to troubleshoot the issue from their end as all other locations are able to connect to the same server. Also raised TAC but they are asking to get server team on call.

Any clue why server hello is not received when Checkpoint is in place.

0 Kudos
the_rock
Legend
Legend
‎2024-07-20 04:16 AM
In response to Rohit_Raut

I can see why TAC is asking you that, I would be doing exactly the same thing. It would be useful to see working and non-working captures for comparison. Btw, when this fails, do you have any logs/debug you can share?

Andy

0 Kudos
Rohit_Raut
Participant
‎2024-07-25 11:13 PM
In response to the_rock

Kindly find attached pcap file. src: 192.168.226.55 dst:10.45.74.18.    tcp.stream eq 9.

0 Kudos
the_rock
Legend
Legend
‎2024-07-26 04:30 AM
In response to Rohit_Raut

Dont see any files...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events