Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CharlesLZ
Explorer

No TLS Server Hello Response issue - Networking Troubleshoot

Hello, I am currently with a Tshoot on two scenarios from LAN.

IP A: Original IP

IP B: NAT IP

IP C: WebServer

Scenario A that works:

Flow:

IP A -> IP C leng 517 (Client Hello TCP with TLS packet)

IP B -> IP C leng 517 (Client Hello TCP with TLS packet)

IP C -> IP A ackno 518 (Server Hello TCP with TLS packet)

IP C-> IP B ackno 518 (Server Hello TCP with TLS packet)

At this point this is expected, and the user can open the browser and connect to the webserver from LAN over HTTPS 443.

 

Scenario B does Not Work:

Flow:

IP A -> IP C leng 517 (Client Hello TCP with TLS packet)

IP B -> IP C leng 517 (Client Hello TCP with TLS packet)

IP C -> IP A ackno 518 (ONLY TCP ack packet ) no Server Hello response

IP C-> IP B ackno 518 (ONLY TCP ack packet ) no Server Hello response

The user can't connect to this webserver from LAN, browser and over HTTPS 443.

On scenario B: I receive the acknowledge 518 without TLS Server Hello Payload.

Based on your experience could you infer this packet could be lost somewhere on the LAN network? or if Check Point Firewall at some point could block the Server Hello payload response?.

Could be something about Threat Prevention suite ? SecureXL?

I also created TCP State Exceptions but did not work.

I appreciate you response

Have a gr8 day!!!!!!!!!!!!

0 Kudos
4 Replies
the_rock
Champion
Champion

You would need to do packet captures when it works and when it does not work, so comparing those would probably show you the difference.

0 Kudos
CharlesLZ
Explorer

Hello, this description is from pcaps that I took from traffic that does work and other that does not work.

0 Kudos
the_rock
Champion
Champion

Say if you took fw monitor, what do you see? Is it taking the same path?

0 Kudos
Tobias_Moritz
Advisor

To understand this better, it is important to know, where you did the traffic capture. On the client, on the server, at the firewall itself, at the client side of the firewall, at the server side of the firewall?

And, as the_rock already said: A fw monitor would be interesting. Please take care of SecureXL or use multiple -F arguments.

0 Kudos