ProxySG & Advanced Secure Gateway

 View Only
  • 1.  ERR_CONNECTION_RESET and Cipher mismatch for URL through proxy

    Posted Oct 14, 2022 02:54 PM
    In Chrome we receive the following errors for a URL:

    ERR_CONNECTION_RESET
    ERR_SSL_VERSION_OR_CIPHER_MISMATCH

    Site checks out OK from Qualys SSL Server Test. If we bypass the proxy we can get to the site without issues.

    I tried pasting the URL in this window but it just hung the message screen..


  • 2.  RE: ERR_CONNECTION_RESET and Cipher mismatch for URL through proxy

    Posted Oct 15, 2022 06:48 AM
    Hello,

    As the message said the issue is located on negociation side, in order to have more information regarding this connection I would suggest to generate a pcap file whose filter will be : the external IP used by the proxy to connect to internet and the URL concerned. Then when pcap file is generated :

    - search for Client Hello and check the cipher/ssl version used for the connection
    - and compare it with the information in Server Hello

    You will be able to derminate which one prevent you establish the connection.

    That is what I would do, if anyone disagree or can give further details, feel free to say it :)

    Hope it helps !

    Best regards,
    Furil


  • 3.  RE: ERR_CONNECTION_RESET and Cipher mismatch for URL through proxy

    Posted Nov 22, 2022 09:19 AM
    Edited by Fermin Nov 22, 2022 09:21 AM
    Hi,

    as you don´t mentioned wich SG or ASG version do you have,

    i have on my servers the version  6.7.5.19, i got  the same error  with websites that only use tls 1.3,  why? simply because so far as i now  tls 1.3 is supported by symantec Proxy version 7.X and yes the solution is detect protocol disabled. If you are using a versoin older than 7, you will get the same erro for tls1.3  if the websites allow  tls 1.2 and 1.3  it wil work.

    Regards
    Fermin rodriguez.




  • 4.  RE: ERR_CONNECTION_RESET and Cipher mismatch for URL through proxy

    Posted Nov 23, 2022 04:55 PM
    Thanks Fermin!

    This is exactly what I needed. I should have mentioned in my original post that this was for a ProxySG S400-40 running version 6.7.5.12.

    I did open a tkt with broadcom for this and they said we needed to upgrade to 7.x code. Good to know that this is not the case and we can put in a CPL rule that disables the check.

    Much appreciated.