Support Center > Search Results > SecureKnowledge Details
HTTPS traffic does not work when using custom Application/Site Technical Level
  • HTTPS traffic is dropped on the Clean Up rule when using custom Application/Site.
  • Running kernel debug ('fw ctl zdebug + drop) it can be seen that the first packet of the HTTPS connection is silently dropped with error message: "PSL Drop: TLS_PARSER"
  • A log in SmartLog is seen with drop message: "URL Filtering - Connection hold failed due to TCP retransmission limit" on the Firewall Blade.
  • Connections after the first drop are successful.

This issue applies when the following configuration combinations are used:

  • URL Filtering Whitelist policy - Websites are explicitly allowed and all non-allowed websites are blocked via the Clean Up rule.
  • Categorize HTTPS websites - SSL/HTTPS Inspection is not being used for outbound connections.
  • Added SNI information to connection logs when connection is matched on rule with "Extended Log"
  • Website categorization mode is set to Hold - Requests are blocked until categorization of the website is completed.  Improved enforcement of first connection when URL Filtering setting is 'Hold' mode.  ( Hold mode granularity )

When a request to a website is made, the Security Gateway holds the "Unknown" traffic. The traffic is sent to the RAD (Resource Advisor) daemon to verify the CN (Common Name) of the website. Before the response from RAD is returned, the policy is enforced on the "Unknown" traffic and is dropped on a Clean Up rule. The IP address of the website is entered into the cache table, but the connection has already been dropped by the policy. The second connection attempt to the same IP address is successful because the IP address has been entered into the cache table and CN has been verified.

Note: To view this solution you need to Sign In .