Meraki

Community

windows Server 2022 TLS Handshakes Randomly Fail with Close_Notify

Epicovello75
Conversationalist
‎Apr 23 2024 6:13 AM
‎Apr 23 2024 6:13 AM

windows Server 2022 TLS Handshakes Randomly Fail with Close_Notify

Client has been running Server 2016 behind Miraki for some period now, recently new server was deployed with Windows 2022 Serever.

Server 2016 and Server 2022 are Identical in software running.  They both host a WEB Site for users to log into their ERP system.

Withing the EPR system the servers make a secure call to  avatax.avalara.net  

this is followed by TLS 1.2 Handshake, 

Client Hello Packet  (sent from Client avatax server)

Server Hello in response to start negotiating .   sent from avatax server back to client)

Works 100% of the time when it comes from the server 2016.  Fails 75% of the time when initiated from server 2022.

Picture below PCAP from failures first, followed but a normal TLS handshake.  

Also like to note I have a second windows 2022 Server , same connection but behind a non miraki firewall that make ths TLS handshake 100%

 

 

Bad Connection

Epicovello75_1-1713877837339.png

 

Good Connection below

Epicovello75_2-1713877906132.png

 

 

 

 

 

0 Kudos
6 Replies 6
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 23 2024 6:47 AM
‎Apr 23 2024 6:47 AM

From the "Bad Connection" screenshot , what is the TTL of the "ACK" and the "Close Notify" ? Are they identical ?

0 Kudos
Epicovello75
Conversationalist
‎Apr 23 2024 6:53 AM
‎Apr 23 2024 6:53 AM

ACK Packet TTL 246

Epicovello75_0-1713880355847.png

 

Close_notify also 246

Epicovello75_1-1713880405905.png

 

 

0 Kudos
In response to Epicovello75
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 23 2024 7:02 AM
‎Apr 23 2024 7:02 AM

At first glance , the remote server did sent both these packets ( they were not sent by the MX firewall ).

 

What MX model and what version are you running ?

And you did confirm that if you bypass the MX , you don't have those issues ?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 23 2024 12:06 PM
‎Apr 23 2024 12:06 PM

The Meraki security systems only ever send a TCP RST or drops the packet.  They never inject into a TLS stream.

Have you got any other security software on either machine?

 

Epicovello75
Conversationalist
‎Apr 23 2024 1:28 PM
‎Apr 23 2024 1:28 PM

Thanks all for the responses,  I have had Miraki Support look at the connection and they do not see any issues also with traffic going/coming for these connections.

As Raphaell suggested going to setup a temp GW and bypass just to see if issues persists. 

No other Security Software running at this time either.  

Lastly just going to also spin up new vanilla server 2022 VM guest and run similar testing to see if the issues exists in new enviroment.

 

 

0 Kudos
Epicovello75
Conversationalist
‎May 15 2024 8:59 AM
‎May 15 2024 8:59 AM

So the Saga Continues,

What we found reviewing the PCAP line for Line was the client was inserting 2 cyphers that were tls1.3 cyphers.

TLS_AES_256_GCM_SHA384YesTLS 1.3
TLS_AES_128_GCM_SHA256YesTLS 1.3

Responding server does not yet support tls1.3.

Disabled the TLS1.3 cyphers and now the initial Handshake connects ok. 

 

It does introduce another issue

 subsequent connection attempts get ignored and fail to connect server.  I suspect between the VM interface and Miraki 

 

PCAP now only show the initial SYN,ECE,CWR with TCP conversation [completeness:  incomplete, NO_DATA]

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.