1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Unable to complete SSL handshake with web site

Discussion in 'Networking' started by Uberwulf, Apr 12, 2016.

Thread Status:
Not open for further replies.
Advertisement
  1. Uberwulf

    Uberwulf Thread Starter

    Joined:
    Apr 12, 2016
    Messages:
    5
    We have a computer that is connected to a Cisco ASA router. This local router sets up an encrypted tunnel to a Cisco ASA router at a remote location. This remote location has a couple of web servers. From the workstation, I am able to ping (by DNS name and IP address) both web servers, see the ports 80 and 443 open and can always resolve one of the web pages (we'll call it works.company.org). The other webpage we'll call broke.company.org we cannot resolve.

    After researching this with wireshark, I can see that the workstation sends a "Client Hello" to broke.company.org, but doesn't see any "Server Hello" response back. However, from the web server side, a packet capture reveals that it does attempt to send its' "Server Hello, Certificate, Server Key Exchange, Server Hello Done" to the workstation, but it doesn't make it to the workstation.

    If we change the workstation's IP address to another IP address in the local subnet, it is able to communicate with the web server for about a day and then something locks up that IP address permanently and then SSL handshake will no longer complete until I change the workstation IP address to a new/different IP address in the local subnet.

    If we connect this workstation and Cisco ASA Router to a different commercial ISP line, the web page at broke.company.org resolves every time.

    We've tried changing the MTU size on the workstation and on the local Cisco ASA router and that doesn't resolve the problem.

    The firewalls in between the 2 Cisco ASA routers have the correct rules in place, allowing ESP 50 and UDP 500 bi-directionally.

    There are many other organizations that are connecting to this web site and no one else is having the issue that we are having.

    Supposedly, there is no proxy in between our workstation and the web site.

    Questions:

    Are there any other offline tools that we can use to try to troubleshoot this web site connection issue?

    What could be causing this SSL handshake to complete on one IP address and not another, but to always work when browsing the works.company.org?
     

    Attached Files:

  2. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,958
    Are there any routing devices on either end of the ASAs on the private side? Is the workstation receiving its IP via DHCP? If so where and who is the DHCP server? Have you looked at the ARP table of closest network device to the workstation to see if there are any IP conflicts? Are you doing any NATing internal to the IPSEC tunnel? Have you looked at the ASDM live log, log buffer, or logs (preferrably at a syslog server) to see if the traffic is reaching the ASA on the side with the web server? Have you done a continuous ping test while doing the test to reach the web server via SSL?
     
  3. Uberwulf

    Uberwulf Thread Starter

    Joined:
    Apr 12, 2016
    Messages:
    5
    Thank you for your response zx10guy,

    Are there any routing devices on either end of the ASAs on the private side?

    -- Not that I know of, but I'll confirm that with the distant end.

    Is the workstation receiving its IP via DHCP? If so where and who is the DHCP server?

    -- No. It has a static IP address on a private subnet, which is only be used for our location behind the internal interface of our router. Additionally, there is only one host connected directly in to the internal interface.

    Have you looked at the ARP table of closest network device to the workstation to see if there are any IP conflicts?

    -- I haven't yet, but I can. Would that still matter if there is only 1 host behind that internal interface of our router?

    Are you doing any NATing internal to the IPSEC tunnel?

    -- We are not, it's going from it's private IP on the internal interface to the public IP on the external interface. Even when it leaves that routed encrypted and passes through all of the network devices to leave our network, it does not get NAT'ed at any point.

    Have you looked at the ASDM live log, log buffer, or logs (preferably at a syslog server) to see if the traffic is reaching the ASA on the side with the web server?

    --I haven't looked at the ASDM live log. Is that done through the cisco router? I know that traffic is reaching the distant, but it seems that the "Server Hello" packet coming from the web server is not making it's way back. Soon I will be doing a packet capture at the distant router to see if the "Server Hello" is even reaching the distant end router.

    Have you done a continuous ping test while doing the test to reach the web server via SSL?

    -- Yes. The ping (DNS Host name or IP Address) remains consistent even when the SSL handshake is not completing.
     
  4. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,958
    This is extremely odd. If you haven't done this, do a ping -t for a continuous ping test to the server from the workstation and intI would also do the same from the server to the workstation. Then initiate the SSL webpage request and see if there are any missed packets.

    The ASDM is a Java based GUI program for the ASA firewalls. To download the ASDM, launch a web session to the IP of the ASA. Hopefully, you've configured the ASA to accept HTTPS management traffic. Cisco really locks down their firewall appliances. You have to explicitly configure if you allow Telnet, SSH, or HTTPS management sessions to it and then you have to tell it to accept the sessions from what IP or subnet over a specific interface. When you launch the web session, you'll see two options. Either run the ASDM as a web session or to download the ASDM stand alone software package installer. It's up to you which way you go. Also you have to make sure your Java is at a version supported by the ASDM. Once you have the ASDM up and running, you'll see a button up top for Monitoring. This will open a set of sub windows/tabs. At the bottom left corner, you'll see a button for Logging. Click it and click the View button in the middle of the window. This will launch the live log where you can see what the ASA is seeing in real time. To tunnel down to the specific traffic you want to watch, you can enter the IP address of the server or workstation in the filter.

    Which ASA do you have?
     
  5. Uberwulf

    Uberwulf Thread Starter

    Joined:
    Apr 12, 2016
    Messages:
    5
    zx10guy,

    I'll see if I can set something up like that (I'll have to coordinate with the tech's who control that equipment). However, I guess I should have been more clear about the continuous ping. When I said consistent, I should have said consistent with occasionally dropped packets (about 1 dropped packet every 10-15 packets) with an average of 136MS latency. It is consistent though with anything I ping on the remote side. Are those inconsistencies enough to cause the symptoms we're experiencing?

    The router we are using at our local site is a Cisco 2901. I can login to the router to do some testing, but can't make any configuration changes. If the hosting site has secured the router to not allow this HTTPS management traffic, I may be out of luck. I will see if that is an option. At the very least I was able to use the ECP to capture packets with full details and export it. I've found that even at our local router, it is not seeing the "Server Hello" message make it back. So that leads me to believe that the issue that is causing this communication to not make it back is on the remote side. Yesterday, we did some packet captures on the remote side's Firewall (using Checkpoint) and I'm waiting to hear back the details on what has been captured.

    Also, to clarify the topology on the remote side: from local Cisco 2901 router > tunneled connection through the cloud > remote Cisco 7206 Router > CheckPoint Firewall > peforms NAT to/from > switch > Web Server (broke.company.org).
     
  6. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,958
    So forget everything I said about the ASDM. You indicated you had an ASA which is Cisco's firewall product. Your post above clarified the model you are using and you're using Cisco routers not firewalls. The 2901 ISR router does have a web GUI but I never use it. It's really not as good as what the ASAs provide. From the looks of it, you need to find out if the SSL return hand shake from the web server is making it to the Checkpoint firewall. You can also look at the logs of the Checkpoint firewall to see what it's doing; whether it received the return packet and if it for some reason dropped it.
     
  7. Uberwulf

    Uberwulf Thread Starter

    Joined:
    Apr 12, 2016
    Messages:
    5
    Sorry about that. Somewhere along the lines I got it stuck in my head that it was an ASA.

    Attached is the wireshark capture from the remote end's Checkpoint Firewall. I changed the source and destination IP's on purpose. The web server has a NAT'ed and private address. Also, there were some packets in there that I deleted because it was traffic going to another web site that was irrelevant and I didn't want it to convolute what you're looking at.

    It seems that the Server Hello message is at least coming through/to the Firewall. However, there are many retransmits which leads me to believe that the Web server is not receiving the proper response back from the workstation so it keeps trying to resend it. Looking at these captures, can you tell what could be causing this kind of traffic?
     

    Attached Files:

  8. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,958
    Would you elaborate on the statement, "The web server has a NAT'd and private address"? Are you saying the web server has two IPs and maybe two interfaces?
     
  9. Uberwulf

    Uberwulf Thread Starter

    Joined:
    Apr 12, 2016
    Messages:
    5
    Yes, the web server has its' actual IP address (the private IP address) and then the firewall is NAT'ing the web server's IP address (making a publicly accessible IP address). From the workstation I would hit the public IP address of the web server and the firewall would then perform the NAT'ing back and forth.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1169647

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice