Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2630
Views
0
Helpful
9
Replies

https error on websites

andrei.goutnik
Level 1
Level 1

‎01-09-2017 02:35 PM

I am having an issue with Cisco Web Security Appliance (S380), accessing https websites.

Specifically when trying to access our webmail website i get an error "ERR_SSL_PROTOCOL_ERROR" when running through the Cisco WSA. 

The website is https://webmail.austfoot.com.au we have a SSL certificate from DigiCert and i have added the *.austfoot.com.au domain to be bypassed in WSA however i still get the error.

Works fine if not going through the WSA.

It used to work fine, however the Appliance was updated to the latest update and now it has stopped working. I thought i just needed to load the certificate into "Certificate Management" under trusted root, however that didnt work.

1 person had this problem
Labels:
0 Helpful
9 Replies 9

David Niemann
Level 3
Level 3

‎01-09-2017 05:45 PM

Can you post some of the logs from the access logs when the site is accessed?

0 Helpful

andrei.goutnik
Level 1
Level 1
In response to David Niemann

‎01-09-2017 10:05 PM

Would it be the following?

1483928012.640 1 10.1.1.59 TCP_MISS/502 39 CONNECT tunnel://webmail.austfoot.com.au:443/ - DIRECT/webmail.austfoot.com.au - PASSTHRU_WEBCAT_7-DefaultGroup-AFL_Active_Directory-NONE-NONE-NONE-DefaultGroup <IW_sprt,0.0,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_sprt,-,"-","-","Unknown","Unknown","-","-",312.00,0,-,"-","-",-,"-",-,-,"-","-"> -
1483928012.645 4 10.1.1.59 TCP_MISS/502 39 CONNECT tunnel://webmail.austfoot.com.au:443/ - DIRECT/webmail.austfoot.com.au - PASSTHRU_WEBCAT_7-DefaultGroup-AFL_Active_Directory-NONE-NONE-NONE-DefaultGroup <IW_sprt,0.0,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_sprt,-,"-","-","Unknown","Unknown","-","-",78.00,0,-,"-","-",-,"-",-,-,"-","-"> -
0 Helpful

shgrover
Cisco Employee
Cisco Employee
In response to andrei.goutnik

‎12-29-2019 09:11 PM

Hello andrei.goutnik,

 

The domain you have mentioned is not being bypassed. I think you added ".austfoot.com.au" to the bypass settings on the WSA when you says you have bypassed it however you have an explicit setup ( either PAC file, Hostname/Ip of the WSA in the browser). Bypass settings on the WSA work only with the Transparent setup (wccp). Please bypass this domain on the PAC file or on the browser it self. you cannot bypass it on the WSA. you can try to make a custom url category also and allow /passthrough it in access/decryption policy and check if it works. If it doesn't then you have bypass it for sure. 

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

0 Helpful

amojarra
Cisco Employee
Cisco Employee
In response to andrei.goutnik

‎06-14-2022 01:47 PM

Hi @andrei.goutnik 

I can see HTTP 502 from your accesslog which is Bad gateway. 

If you done the steps @shgrover  mentioned and still get 502 from accesslogs, could you please capture packet from WSA filter for your client IP and your server IP , try to reproduce the issue and share the PCAP.

to do this check page 569 userguide : User Guide for AsyncOS 14.0 for Cisco Web Security Appliances - GD (General Deployment)

 

 

Kindly note that I can not open the URL : https://webmail.austfoot.com.au from my computer and I get : ERR_CONNECTION_TIMED_OUT

 

also I can not resolve austfoot.com.au 

 

thanks  

 

0 Helpful

Ravi Singh
Level 7
Level 7

‎01-11-2017 07:25 AM

You are getting this error only for this URL or whenever you are accessing any https site?

In Some cases, SSL state may blok your connection and show you this error. Try to clear SSL state

0 Helpful

andrei.goutnik
Level 1
Level 1
In response to Ravi Singh

‎01-11-2017 12:19 PM

Hi Ravi,

Thanks for the reply.

It seems to be happening with all sites that I access under the .austfoot.com.au domain. 

Another example is https://connx.austfoot.com.au as soon as I go through the WSA I get the SSL error.

0 Helpful

jonianggara65839
Level 1
Level 1
In response to Ravi Singh

‎10-18-2019 06:51 PM

pertanyaan saya yang ingin saya tanyakan karena kasus yang saya alami hampir sama di ip menuju website Pekalongan news

0 Helpful

jameslehner992
Level 1
Level 1

‎06-13-2022 04:51 PM

I cant visit half of the website on the internet. The connection is not sure on half of the websites. Anyone know the solution to this?

0 Helpful

amojarra
Cisco Employee
Cisco Employee
In response to jameslehner992

‎06-14-2022 01:39 PM

@jameslehner992 

kindly share with us more details about your issue.

you can brows some https and can not brose some https site ( approximately 50%-50%) 

if so please share the output of sslconfig > versions from CLI and some lines of access logs from blocked URLs and allowed URLs 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents