MX64 discarding TLS "client hello" packets

Ludod
Comes here often

MX64 discarding TLS "client hello" packets

For the past few months some of our clients have been complaining about slow web surfing. Randomly, when they try to load a page, it sometime takes up to a minute. They all are on the same simple configuration and template :

Ludod_0-1649344363274.png

After few tickets to the ISP and troobleshooting, we've dismissed any problem on the layer 1 and 2 on the network and started taking packet captures of the TLS handshake on different locations of the network.

We've observed that, randomly, the first few "client hello" packets that were sent, were not transmitted on the wan interface of the MX64.


Switch uplink packet capture (1.2 sec delay between captures):

Ludod_1-1649344959581.png

Wan interface capture :

Ludod_2-1649345048773.png
It looks like the MX64 forbid the connection to this website. However no log on the secure gateway show that it is the case (and the url isn't blocked by content filtering) and no layer 3 nor layer 7 forbid the access to this server / port. And as I said before, the client manages to have access to the website after around a minute of waiting / reloading.

The firmware of the MX is 16.16 but we've already witnessed the issue on previous versions. No temparature / CPU alerts. I have already created a case on Meraki's Dashboard and currently waiting for a response.

My questions are :
1) Has this kind of issue already happened to you ? If yes, what was the cause ?
2) Am I missing something  / is there a lead I haven't followed yet ?

 



7 REPLIES 7
KarstenI
Kind of a big deal
Kind of a big deal

Do you have content filtering with "Full List" enabled? I have seen this behaviour in this case (but not always).

Ludod
Comes here often

Yes the URL category list size is on Full list and we have around 100 whitelisted URL and 600 blacklisted + 30 ish categories. It probably has an impact on performance but 60s seems a bit too much.

ww
Kind of a big deal
Kind of a big deal

Can you try from a browser with secure dns/doh  disabled

Ludod
Comes here often

DoH is already disabled on their browser, the DNS is located on their internal network.

cmr
Kind of a big deal
Kind of a big deal

@Ludod some browsers like Chrome can default to secure DNS, it would be worth checking this.

 

 

Ludod
Comes here often

So I've double checked and DoH is disable on chrome not by GPO but by their Google admin. Furthermore, I can see traffic on udp port 53 in the packets captures.
What could be the issue if it was in fact enabled ?

Wifikohai
Comes here often

Hi Ludod,

Did you solve the problem? I have a machine with same behavior.

 

Regards

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels