Hi Chris,
Thanks for reaching out. A few things to note:
- The KB you mentioned is specifically for the Kindle for Mac app.
- Where you are saying this magically works again when the browser is closed and reopened makes me lean toward this being a browser issue, and not necessarily a ProxySG issue
- The most common places for the TLS handshake to break when the ProxySG is at fault is right after the Client Hello on a Client-Proxy session (if the Client Hello doesn't contain at least one allowed cipher or isn't using an allowed protocol), or after the Server Hello and Certificate in a Proxy-Server session (if the Server Hello contains an incompatible cipher, or if the ProxySG is set to do Server Certificate Validation and doesn't trust the Server Certificate)
I understand the you can't turn off SSL decryption as a fix, but I would try it temporarily disable it and some of the other services with an affected user using the troubleshooting CPL found in the below KB to either vindicate or condemn the ProxySG in this case:
https://knowledge.broadcom.com/external/article?legacyId=tech243229With the CPL installed and configured for your test user, I would try accessing the website again and see what happens. If the issue persists, and you can see from a policy trace that those rules are matching, then the issue lies outside of the ProxySG. If you consistently can reach it after applying the policy, then you can comment out different elements of the script to see what service is at play.
While you mentioned that you saw TLS handshake failures in a packet capture, I would expect that traffic would fail every time, and not work when closing and reopening the browser. If you are using a surrogate method authentication (ProxyIP, Origin-IP-Redirect, etc), I could possibly see an issue with authentication on this site, that would resolve itself once the surrogate was set by authenticating to a different site. . . One would need to take a closer look to see.
This is where I would start. As always, feel free to log a ticket with Support to have someone take a closer look at the situation.
Thanks!
Original Message:
Sent: 07-09-2020 05:55 AM
From: Chris Shu
Subject: proxysg is not compatible with Session Ticket
Hi Team,
In our country , have a web www.baidu.com which is like www.google.com. "www.baidu.com" is a search engine website. After using the ProxySG, when Cx access to the www.baidu.com, they will fail to access. other Baidu site also has this problem
Troubleshooting:
1.They must close the browser and open it again, then they can access this web site.
2.We check the wireshark pcap, it shows the traffic always fail in the Session Ticket Cycle.
3.We also see the same problem KB
https://knowledge.broadcom.com/external/article?articleId=170224
It only shows the workaround. But we have no solution. Because we also use NDLP to check and intercept the HTTPS traffic. So if we bypass the "www.baidu.com" and other Baidu son site like "pan.baidu.com" which can upload the files, we will have the dangerous of lossing data.
how can we do now?#