Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

no https (or other secured traffic that does SSL handshake) available over AutoVPN

thomasthomsen
Head in the Cloud
‎Aug 18 2021 12:45 PM
‎Aug 18 2021 12:45 PM

no https (or other secured traffic that does SSL handshake) available over AutoVPN

Just wanted to see if other persons in the world have this problem.

And it is strange .... 

 

AutoVPN between two networks (nothing fancy as such), all good, except when we try to reach, for example, a https service on the other end.

 

The TCP handshake to the server is just fine (so nothing is blocked by an ACL) but then, when the cert is sent, it disappears somewhere in the MX. We can see the packet going into the LAN interface, but nothing received on the other end, or in the tunnel.

Now here is the funny part, if we then whitelist the server (Group policy Allow list / Whitelist on the client page) everything works.

IPS would be the first thing we would look at, but nothing shows up as blocked in IPS, and disabling IPS does nothing, only "allow list / whitelist".

 

Have anyone seen that before ?

 

/Thomas

0 Kudos
Subscribe
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 18 2021 3:16 PM
‎Aug 18 2021 3:16 PM

Smells like time to do an MX firmware upgrade ...

Subscribe
In response to PhilipDAth
thomasthomsen
Head in the Cloud
‎Aug 18 2021 11:12 PM
‎Aug 18 2021 11:12 PM

So its something people have experienced ?

0 Kudos
Subscribe
In response to thomasthomsen
thomasthomsen
Head in the Cloud
‎Aug 19 2021 8:08 AM
‎Aug 19 2021 8:08 AM

Does whitelist / allow policy mess with the DF bit on packets ?

We actually think the SSL handshake is being send with DF bit.

And if it drops that traffic because of MTU, and the whitelist / allow policy ignores the DF bit then everything makes more sense to us.

0 Kudos
Subscribe
In response to thomasthomsen
thomasthomsen
Head in the Cloud
‎Aug 19 2021 8:09 AM
‎Aug 19 2021 8:09 AM

And PS: yes , we have upgraded, downgraded and so on ... nothing helps.

Only whitelisting / allow policy on the client page helps.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 19 2021 2:01 PM
‎Aug 19 2021 2:01 PM

I think it is improbably, but try lowing the MTU on a test machine.

 

 

You need to find the name of the network adaptor being used with this command:

netsh interface ipv4 show subinterface

 

Then run this command to change the MTU (change "Local Area Connection" to the adaptor name above):

netsh interface ipv4 set subinterface “Local Area Connection 2” mtu=1300 store=persistent

0 Kudos
Subscribe
In response to PhilipDAth
thomasthomsen
Head in the Cloud
‎Aug 19 2021 11:41 PM
‎Aug 19 2021 11:41 PM

But isn't it strange that immediately when we set a server on the allowed list, everything works.

 

We actually set up a new network to the same Concentrator, same type of hardware, same config, and that just works.

Its very very strange.

0 Kudos
Subscribe
In response to thomasthomsen
thomasthomsen
Head in the Cloud
‎Aug 20 2021 5:42 AM
‎Aug 20 2021 5:42 AM

Ok -.... here's a hint to our problem - Content filtering - When the MX cant reach Brightcloud services (that is not described as required on the "firewall info" page).

 

I'll just leave this here, and then people can PM me if they want to know what I think about this, the strange way the MX apparently handle this, what you can see in the event log (on any log for that matter) *hint:Its nothing*, and what I think of Merakis support right now.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.