Hi, Some hosts in the LAN are randomly unable to connect to external https services. All conections are going through a Shorewall routing firewall.
One host in the same vlan with src IP addr. 10.215.111.210 is properly accessing the following site: curl --verbose --head https://teams.microsoft.com * Trying 52.113.194.132:443... * Connected to teams.microsoft.com (52.113.194.132) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: C:\cURL\curl-ca-bundle.crt * CApath: none * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 [etc] Another host in the same vlan with IP addr. 10.215.111.199 is unable to connect to the exact same site and at the same time (52.113.194.132): curl --verbose --head https://teams.microsoft.com * Trying 52.113.194.132:443... * Connected to teams.microsoft.com (52.113.194.132) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: C:\curl\curl-ca-bundle.crt * CApath: none * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.0 (OUT), TLS header, Unknown (21): * TLSv1.3 (OUT), TLS alert, decode error (562): * error:0A000126:SSL routines::unexpected eof while reading * Closing connection 0 curl: (35) error:0A000126:SSL routines::unexpected eof while reading This is what I see with tcpdump while trying the above connection ("wan" is the interface facing Internet): # tcpdump -n -i wan host 10.215.111.199 dropped privs to pcap tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes 10:58:55.602587 IP 10.215.111.199.60258 > 52.113.194.132.443: Flags [S], seq 1097095637, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 10:58:55.602797 IP 52.113.194.132.443 > 10.215.111.199.60258: Flags [S.], seq 2635751257, ack 1097095638, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 10:58:55.604900 IP 10.215.111.199.60258 > 52.113.194.132.443: Flags [.], ack 1, win 1026, length 0 10:58:55.880427 IP 10.215.111.199.60258 > 52.113.194.132.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517 10:58:55.880581 IP 52.113.194.132.443 > 10.215.111.199.60258: Flags [.], ack 518, win 123, length 0 What makes things "worse" is that if I tamper with this host's "hosts" file and manually set the name resolution of teams.microsoft.com to 52.113.195.132 (another valid IP addr. for teams.microsoft.com) then it can finally connect as expected. There's no shorewall rule to block 52.113.194.132:443 so I don't know why the TLS handshake is failing. I'd like to determine if this is a communications issue (ie. Shorewall) or a client/server hosts problem. Regards, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
