Trouble connecting to one site through HTTPS proxy
Desktop software that requires online activation has been failing to activate due to connection issues. While testing, there are also issues opening the software company's website (www.captureone.com). There have been no other issues with any other site so it seems to be specific to this site/domain.
The company's tech support gave me the following URL that can be used to check the status of their activation servers:
https://activation.phaseone.com/Errors/ServiceStatus.aspx
Sometimes it responds but most of the time it times out. Checking it from other locations however does not time out, so it seems to be an issue with this LAN behind this firewall.
This particular Firebox is a M300 v11.9.6
Here's a debug log when trying to access the above URL. I'm wondering if there's anything that stands out here and points to something that could be adjusted on this device?
2021-07-01 07:21:43 https-proxy 0x10835910-498 277043472:498: nondata event 'SSL_PROTO_CLIENT_HELLO_COMPLETE: 46: 192.168.9.203:1025 -> 23.45.12.32:443 [A t] {B}' Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 277043472:498: nondata event 'CONNECTED_CHAN_B: 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {X}' Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {X}: B CONNECTED - commencing with DPI! Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {N}: ssl handshake completed Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {N}: connected with TLSv1.3 (0x304) Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {N}: OCSP check skipped (OCSP Disabled) Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 277043472:498: nondata event 'SSL_CONNECTED: 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {N}' Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {N}: B PXY_EVENT_SSL_CONNECTED !!! Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 https_domain_name_check matching rule against ip: 23.45.12.32 Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 https_restart_b_simple: 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {N} Done with the DPI channel B, closing it. Debug
2021-07-01 07:21:43 https-proxy 0x10835910-498 https_restart_b_simple: 47: 98.152.130.138:1025 -> 23.45.12.32:443 [B t] {N} use the NATed src ip for the new channel B connection. Debug
2021-07-01 07:22:13 https-proxy 0x10835910-498 277043472:498: nondata event 'CLOSE: 46: 192.168.9.203:1025 -> 23.45.12.32:443 [A tr] {N}' Debug
2021-07-01 07:22:13 https-proxy 0x10835910-498 277043472:498: nondata event 'CHAN_READ_BLOCKED: 46: 192.168.9.203:1025 -> 23.45.12.32:443 [A txr] {N }' Debug
2021-07-01 07:22:20 pxy 0x10836180-396 connect failed Connection timed out 50: 192.168.9.203:1024 -> 23.45.12.66:443 [A txr] {N } | 51: 98.152.130.138:50873 -> 23.45.12.66:443 [!B c] {N}[eo] Debug
2021-07-01 07:22:20 https-proxy 0x10836180-396 277045632:396: nondata event 'FAILED_CHAN_B: 51: 98.152.130.138:50873 -> 23.45.12.66:443 [!B fc] {N}' Debug
2021-07-01 07:22:20 https-proxy 0x10836180-396 50: 192.168.9.203:1024 -> 23.45.12.66:443 [A txr] {N } | 51: 98.152.130.138:50873 -> 23.45.12.66:443 [!B fc] {N}[eo]: failed to connect B channel Debug
2021-07-01 07:22:20 https-proxy 0x10836180-396 CLEANUP for conn 0x10836180 :-1: 192.168.9.203:1024 -> 23.45.12.66:443 [~!A xra] {N} | -1: 98.152.130.138:50873 -> 23.45.12.66:443 [~!B fa] {N}[Ceo] Debug
2021-07-01 07:22:20 Allow 192.168.9.203 23.45.12.66 https/tcp 1024 443 2-INT 7-EXT HTTPS Request (HTTPS Client proxy-00) HTTPS-Client-custom proc_id="https-proxy" rc="548" msg_id="2CFF-0000" proxy_act="HTTPS-Client-custom" tls_profile="TLS-Client-HTTPS.Standard" tls_version="TLS_V13" sni="activation.phaseone.com" cn="activation.phaseone.com" cert_issuer="CN=R3,O=Let's Encrypt,C=US" cert_subject="CN=activation.phaseone.com" action="allow" app_id="0" app_cat_id="0" sent_bytes="517" rcvd_bytes="3571" Traffic
Comments
I'm using V12.7 U1, and I see this when I try the link that you provided.
I use a HTTPS proxy for this access.
Activation service is alive.
Your firewall software version is very old (25 November 2014), so it could be an issue with it.
You can add a HTTPS packet filter To: that site
Since your version does not support dynamic lookups for FQDNs, you need to use the IP addr(s) of that site in the To: field
Yeah, I considered that it may be an issue with the old software.
Regarding FQDNs not supported on this version, are you sure that's accurate? FQDN is an option In the **Add Member **dialog box.
Screenshot
Another thing I noticed is that captureone.com is hosted on Akamai's platform which serves content from many nodes. Doing a DNS lookup on captureone.com for example from different locations will likely return different IP addresses. And even from the same location you will get different IP addresses from a series of DNS lookups. Just wondering if that distributed node architecture on the other end could be causing any problems.