IPv6 https-proxy issue
Hi All,
I'm rolling out IPv6 internally through my M470, and I get these spurious logs.
2024-04-22 10:46:14 https-proxy 0x2c1f480-64896 681: 2a00:xxxx:yyyy::50:53741 -> 2603:1020:705:8::400:443 [!B fc] {N}: Side channel SSL failed (Domain: N/A) - proceed with rule check Debug
2024-04-22 10:46:14 pxy 0x2c1f480-64896 connect failed Connection timed out -1: :::0 -> :::0 [!A] {N} | 681: 2a00:xxxx:yyyy::50:53741 -> 2603:1020:705:8::400:443 [!B c] {N}[L!BPeo] Debug
The 2a00:xxxx:yyyy::50 is the IPv6 on the WAN interface, not the IPv6 on the LAN interface.
I actually have OPNSense behind the Watchguard LAN doing NPTv6 to translate ULA to GUA, but I do not think this is anything to do with the issue above.
I am routing a /60 down from an upstream OPNSense router to the Watchguard appliance.
Anyone any ideas what this might be? It doesnt appear to be affecting anything, but is annoying me.
Thanks
Alan
Comments
I'm seeing the same thing on my M390 with one of the VLAN addresses for the Firebox:
2024-04-22 09:56:30 https-proxy 0x38a85980-23848 114: 2600:4040:xxxx:yyyy:::54483 -> 2001:4998:58:207::6000:443 [!B fc] {N}: Side channel SSL failed (Domain: N/A) - proceed with rule check
All of the logs are saying that B channel (the side of the connection from the firewall to the distant webserver) are failing. I would check that side of the connection. If this is failing for multiple sites, it might be possible that IPv6 is not set up correctly on this/these firewalls.
-James Carson
WatchGuard Customer Support
That’s what I don’t understand. IPv6 works perfect all the way downstream. That IPv6 is just a hop through the firewall, so I fail to see what….from the WAN side of the firebox….is going through the https proxy.
You can’t really get the IPv6 config wrong….it has an IPv6 on the WAN with a routed subnet of /61 via that IP.