HTTPS traffic does not work when using custom Application/Site

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk164815
Technical Level
Product	URL Filtering, Application Control
Version	R80.10, R80.20, R80.30
OS	Gaia
Platform / Model	All
Date Created	23-Jan-2020
Last Modified	27-Aug-2020

Symptoms

HTTPS traffic is dropped on the Clean Up rule when using custom Application/Site.
Running kernel debug ('fw ctl zdebug + drop) it can be seen that the first packet of the HTTPS connection is silently dropped with error message: "PSL Drop: TLS_PARSER"
A log in SmartLog is seen with drop message: "URL Filtering - Connection hold failed due to TCP retransmission limit" on the Firewall Blade.
Connections after the first drop are successful.

Cause

This issue applies when the following configuration combinations are used:

URL Filtering Whitelist policy - Websites are explicitly allowed and all non-allowed websites are blocked via the Clean Up rule.
Categorize HTTPS websites - SSL/HTTPS Inspection is not being used for outbound connections.
Website categorization mode is set to Hold - Requests are blocked until categorization of the website is completed.

When a request to a website is made, the Security Gateway holds the "Unknown" traffic. The traffic is sent to the RAD (Resource Advisor) daemon to verify the CN (Common Name) of the website. Before the response from RAD is returned, the policy is enforced on the "Unknown" traffic and is dropped on a Clean Up rule. The IP address of the website is entered into the cache table, but the connection has already been dropped by the policy. The second connection attempt to the same IP address is successful because the IP address has been entered into the cache table and CN has been verified.

Solution

Note: To view this solution you need to Sign In .