HTTPS/TLS issues:

dcuk
Just browsing

HTTPS/TLS issues:

Afternoon all,

Having some networking issues, I've narrowed it down to a combination of Meraki and Windows/Mac.

Getting a lot of "Secure Connection Failed" from internet browsers.

It works in Linux, it works outside the firewall, and it works on other sites.

Running in a VM on a Windows box, the following:

    for i in {1..1000} ; do wget https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js -O bootstrap.$i -o bootstrap.$i.log ; wget https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css -O theme.$i -o theme.$i.log ; done
    for i in bootstrap theme ; do echo -n "$i: " ; grep GnuTLS $i* | wc -l ; done
Gives a 70-80% connection failure.

I've turned off local AV (ESET), AMP and ID&P on the Meraki MX64 and am still getting the error.

Tested using a Fedora27 VM running on a Windows 10 (1709).

Also tested on a CentOS VM running on ESX which works fine.

Also tested on a Mac which doesn't work.

Any thoughts suggestions on what's going on would be much appreciated.

 

Many thanks in advance,

10 Replies 10
Adam
Kind of a big deal

I just tried the two links on a Windows 10 machine and both loaded fine.  The network I tested on is an MX84. AMP disabled, prevention, balanced, and content filtering top sites. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
dcuk
Just browsing

They do load some of the time, can you press ctrl+F5 a few dozen times and let me know if you get "Secure Connection Failed"?
Adam
Kind of a big deal

I just tried each URL with Ctrl+F5 10 times each in Chrome and no issues.  I can try in a different browser etc if you'd like.  What firmware version is your MX and how do you have your content filtering set?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
dcuk
Just browsing

v13.28, no content filtering applied.
It must be something to do with the TLS handshake, but I have no idea what or where to look.
I can get the laptop to work outside the firewall, and I've got VM's on ESX inside the firewall that can connect without issue...
Adam
Kind of a big deal

I'm at 13.28 also.  Have you encountered the issue on a workstation that isn't in your ESX/VM environment?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
dcuk
Just browsing

Yes, we've also got a number of Mac's having the issue in Chrome.
PhilipDAth
Kind of a big deal
Kind of a big deal

I notice this URL uses an ultimate DNS record with a TTL of just 60s, and it keeps rotating those IP addresses.

 

Are the DNS servers you using honouring the TTL?

Adam
Kind of a big deal

Or, if possible, try setting a static external DNS like 8.8.8.8 and 8.8.4.4 on one of the clients that is having the issue to test.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
dcuk
Just browsing

Hi,

I've set the DNS to 8.8.8.8 and 8.8.4.4 and still get the issue, so it doesn't appear to be a DNS issue either.

I need to find other test cases I can replicate, not just these 2 files...

Thank you for your help so far.

Adam
Kind of a big deal

Let me know if you find a test case.  I'd be happy to try it in one or two of my environments. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels