Sonicwall TZ-600 or SSL Issue, one site non-accessible

[xendrome]

Before I get into too much detail of what I have tried. The issue is, I cannot get this site to load from one of my facilities.

https://secure.swdirectconnect.com/EFTClient/Account/Login.htm

I suspect the Sonicwall is blocking it, however I have checked every rule, filter, IPS, Gateway AV, content filter, debug logging etc.

Other sites I can access it, but there seems to be a problem with the SSL certificate which may be the root issue.

Chrome on my tablet at home complains of "ERR_CERT_AUTHORITY_INVALID" and IE at the facility shows "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://secure.swdirectconnect.com again. If this error persists, contact your site administrator."

Chrome just shows "ERR_CONNECTION_ABORTED"

https://www.ssllabs.com/ssltest/analyze.html?d=secure.swdirectconnect.com&latest

Seems to show a chain issue.

Any SSL/TLS experts have any input?

[xendrome]

BTW I can ping and get a reply to the IP address of the site, and telnet on port 443 and make a connection.

[xendrome]

Now I have a SFTP site that I cannot get to in FileZilla.:

 

Network error: Software caused connection abort

Error: Could not connect to server

 

Funny thing is, I can ping/route to this server also.

 

One major development, if I enable the backup 4G aircard interface, and set a static route to the site above or the SFTP site IP, I can get right to them. So I know it isn't a browser config issue. Thinking it might be a Sonicwall Firmware bug..

[Zinomian]

disable your security services for a short bit? Do you have any content filtering enabled? see if you can create an account exception for a single user and test?

 

Odd thing is, that you do not get the error sonicwall landing page, which usually comes up if the firewall blocks something.

[ShadowPHP]

Just a quick thought, but I've seen weird browsing issues when the MTU is set incorrectly on the WAN interface.

Came to mind before you mentioned it working on the 4G interface, so sounds plausible to me.

[+BudMan MVC]

Yeah dude they get a big fat F.. no wonder your browsers are keeping you from connecting

 

Why would you want to go there?

[xendrome]

disable your security services for a short bit? Do you have any content filtering enabled? see if you can create an account exception for a single user and test?

 

Odd thing is, that you do not get the error sonicwall landing page, which usually comes up if the firewall blocks something.

 

Tried it, disabled all of the Gateway AV, IPS, Spyware, on the WAN zone. No change. Yeah the Sonicwall shows no error landing page/block page and also shows no entry in the logs.

Yeah dude they get a big fat F.. no wonder your browsers are keeping you from connecting

 

Why would you want to go there?

 

Yeah I know, it's a work related site that we use. But I know it's not a browser issue since if I route the traffic over U0 (USB Air Card) it loads just fine.

Just a quick thought, but I've seen weird browsing issues when the MTU is set incorrectly on the WAN interface.

Came to mind before you mentioned it working on the 4G interface, so sounds plausible to me.

 

It's a cable connection, MTU is 1500. I could try something like 1492, but the only thing is I twas working fine with the TZ-215 Sonicwall at 1500 MTU

[+BudMan MVC]

I would contact them to fix their ######..  Are you going through a proxy at work that does ssl intercept - if so its prob not able to connect to such a ###### site, nor would I blame it..

 

Your ###### not connecting to that is not broken - they are broken, yes they have a broken chain as well..  I would not do business with a company that can not maintain their SSL stuff - especially of late with all the security issues with it..

[xendrome]

I would contact them to fix their ######..  Are you going through a proxy at work that does ssl intercept - if so its prob not able to connect to such a ###### site, nor would I blame it..

 

Your ###### not connecting to that is not broken - they are broken, yes they have a broken chain as well..  I would not do business with a company that can not maintain their SSL stuff - especially of late with all the security issues with it..

 

Yeah I've already started that discussion with them, but what about the SFTP connection to a totally different non-related site doing the same thing though FileZilla.

 

No Proxy, and no DPI-SSL or SSL filtering enabled.

[+BudMan MVC]

where are you trying to connect to via sftp.  Are you using ssh1 or 2..  Can you pm me the site and can see if I get a connection.

 

Are you using password auth or public key?

 

sftp is ssh, are you talking ftps ftp-es ?

[xendrome]

where are you trying to connect to via sftp.  Are you using ssh1 or 2..  Can you pm me the site and can see if I get a connection.

 

Are you using password auth or public key?

 

It's a SFTP site running at a local similar agency. It's using password and host key once connected. It works fine via the U0 interface, or anywhere else I try it from, home, car, etc. Just not via the X1 (WAN) interface on the Sonicwall.

 

 

I can connect to - https://filezilla-project.org/ just fine via port 22 using Filezilla from the same site and it asks for UN/PW

 

Makes no sense.

[+BudMan MVC]

what do you show in in your connection log?  is it ssh1 or 2?  example

 

turn on debug so you get details of the connection in filezilla, example here is connection via sftp to my home linux box

 

Status:    Connecting to 192.168.9.7...
Trace:    Going to execute "C:\Program Files\FileZilla FTP Client\fzsftp.exe"
Response:    fzSftp started
Trace:    CSftpControlSocket::ConnectParseResponse(fzSftp started)
Trace:    CSftpControlSocket::SendNextCommand()
Trace:    CSftpControlSocket::ConnectSend()
Command:    keyfile "C:\Dropbox\tools\newkeys\NewKey.ppk"
Trace:    CSftpControlSocket::ConnectParseResponse()
Trace:    CSftpControlSocket::SendNextCommand()
Trace:    CSftpControlSocket::ConnectSend()
Command:    open "user@192.168.9.7" 22
Trace:    Looking up host "192.168.9.7"
Trace:    Connecting to 192.168.9.7 port 22
Trace:    Server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
Trace:    Using SSH protocol version 2
Trace:    We claim version: SSH-2.0-PuTTY_Local:_Feb_11_2014_20:29:07
Trace:    Doing Diffie-Hellman group exchange
Trace:    Doing Diffie-Hellman key exchange with hash SHA-256
Trace:    Host key fingerprint is:
Trace:    ssh-rsa 2048 bf:11:86:05:28:a8:cc:b3:bb:0e:17:60:ef:a9:f4:8a
Trace:    Initialised AES-256 SDCTR client->server encryption
Trace:    Initialised HMAC-SHA-256 client->server MAC algorithm
Trace:    Initialised AES-256 SDCTR server->client encryption
Trace:    Initialised HMAC-SHA-256 server->client MAC algorithm
Trace:    Successfully loaded 1 key pair from file
Trace:    Offered public key from "C:\Dropbox\tools\newkeys\NewKey.ppk"
Trace:    Offer of public key accepted, trying to authenticate using it.
Trace:    Access granted
Trace:    Opened channel for session
Trace:    Started a shell/command
Status:    Connected to 192.168.9.7
Trace:    CSftpControlSocket::ConnectParseResponse()
Trace:    CSftpControlSocket::ResetOperation(0)
Trace:    CControlSocket::ResetOperation(0)
Trace:    CFileZillaEnginePrivate::ResetOperation(0)
Trace:    CFileZillaEnginePrivate::ResetOperation(0)

 

if you have problems with the key exchange - try a different one, filezilla sftp support is really basic.. do you have linux you can sftp from or copy of securefx?  putty sftp (psftp) winscp (be careful of opencandy on its install - might of been removed in later versions) etc. etc.

[xendrome]

Here it is with just the IP/username changed, it never makes the connection, just like the other HTTPS site, goes right to "This webpage is not available ERR_CONNECTION_ABORTED" in Chrome

Status:	Connecting to 1.2.3.4...
Trace:	Going to execute C:\Program Files (x86)\FileZilla FTP Client\fzsftp.exe
Response:	fzSftp started, protocol_version=2
Trace:	CSftpControlSocket::ConnectParseResponse(fzSftp started, protocol_version=2)
Trace:	CSftpControlSocket::SendNextCommand()
Trace:	CSftpControlSocket::ConnectSend()
Command:	open "username@1.2.3.4" 22
Trace:	Looking up host "1.2.3.4"
Trace:	Connecting to 1.2.3.4 port 22
Trace:	We claim version: SSH-2.0-PuTTY_Local:_Jun__2_2015_17:20:13
Trace:	Network error: Software caused connection abort
Error:	Network error: Software caused connection abort
Trace:	CControlSocket::DoClose(64)
Trace:	CSftpControlSocket::ResetOperation(66)
Trace:	CControlSocket::ResetOperation(66)
Error:	Could not connect to server
Trace:	CFileZillaEnginePrivate::ResetOperation(66)
Status:	Waiting to retry...

[+BudMan MVC]

can you send me the IP in PM and I will try and connect.

 

But you say you can ping it - and 22 is open?  Do you get a syn,ack back to your syn?  Can you sniff on the outside of your firewall?

[xendrome]

can you send me the IP in PM and I will try and connect.

 

But you say you can ping it - and 22 is open?  Do you get a syn,ack back to your syn?  Can you sniff on the outside of your firewall?

I can ping it, and telnet to port 22 on the IP and get a flashing cursor connection just fine.

PM coming now. Remember these are 2 totally different sites, vendors, etc, the only common thing is SSL

[+BudMan MVC]

But your not getting the host key.. See here

 

Trace:    We claim version: SSH-2.0-PuTTY_Local:_May_22_2015_16:44:29
Trace:    Server version: SSH-2.0-1.36_sshlib GlobalSCAPE
Trace:    We believe remote version ignores SSH-2 maximum packet size
Trace:    Using SSH protocol version 2
Trace:    Doing Diffie-Hellman group exchange
Trace:    Doing Diffie-Hellman key exchange with hash SHA-1
Trace:    Host key fingerprint is:
Trace:    ssh-dss 1024 ef:37:40:89:1c:41:fb:69:4a:c0:7c:79:ae:92:0d:9d
Command:    Trust new Hostkey: Once
 

Sorry for the delay been traveling for work.. 

[xendrome]

Right it's not even making a connection to the HTTPS site or the SSH site. I suspect a Sonicwall Firmware bug.

[+BudMan MVC]

Or just plain jane network issue..  So can you sniff on the outside of your firewall, do you get back syn,ack to your syn even?  Or is it not sending the traffic on 22 or 443 at all?

 

It for sure could be blocking the traffic for some reason, but then again it could be the site not talking back to you for a reason.  Or cold be they are not getting your syn.  Need to validate that you actually send one on the wire.

[xendrome]

Budman, check PMs

[Depicus]

Have you tried NMAP from that machine. You should be able to see what ports are open and what services are running then something like Wireshark will give you an idea of what traffic is going through to the machine (albeit SSL is a pain in Wireshark).

[+BudMan MVC]

Yeah its bit difficult to read in that format.. But you clearly have some RST closing the connection... Trying to make out the full flow - looks like that is showing both in and out..  A normal pcap of the sniff would be much easier to read since I could load it in wireshark.

 

I see some syn and then syn,ack opening the connection.  But then you get RST closing them..

[xendrome]

Yeah its bit difficult to read in that format.. But you clearly have some RST closing the connection... Trying to make out the full flow - looks like that is showing both in and out..  A normal pcap of the sniff would be much easier to read since I could load it in wireshark.

 

I see some syn and then syn,ack opening the connection.  But then you get RST closing them..

 

Sent in PM

[+BudMan MVC]

Yeah I see opening of 3 sessions to 443 from source ports 58780, 81 and 82 - you get ack syn,ack to those - then you get sent RST.. Basically telling you to FO!!  did that come from your firewall or the actual server - you need to sniff on the outside to be sure that it wasn't the firewall sending the close.

[xendrome]

Well if I use the U0 interface or any other connection besides the X1 WAN on the sonicwall, like from home or aircard in the car it works fine. And it's 2 different sites, one HTTPS and one SSH doing this. So I am almost convinced it's the Sonicwall.

[+BudMan MVC]

Clearly your getting RST that closes the session..  Sniff on the OUTSIDE of firewall - do you not see those RST??  And its the firewall closing.. If so then yes its the firewall - but from your sniff clearly there is RST that looks to be coming from that IP saying FO.. Don't want to talk to you.. 

 

This means conversation is OVER

 

It could be your FW closing it - but why would it close it would be the ?  Can you debug and trace the connection in the firewall to see why it would be sending RST..  But simple sniff should tell you if came from the outside and firewall is just sending it on..

 

When you use a different connection your coming from a different IP.. It could be the site doesn't want to talk to the IP your coming from with this connection and you get sent a RST..