cancel
Showing results for 
Search instead for 
Did you mean: 

RST ACK Packet from Server to Proxy

We are facing a very strange issue, when we connect to a website, we get alot of RST,ACK packets:

Sipchem-Issue.PNG

And the proxy gives the error:

M2.png

Testing from OpenSSL from Client gives 'Verify return code: 21 (unable to verify the first certificate)' with the first certificate being 's:C = US, ST = California, L = Milpitas, O = "FireEye, Inc.", CN = 172.16.5.100'

Spoiler
 

A Self-signed Certificate is being used on the proxy. Can anyone help or give any pointers in this case.

 

 

4 Replies
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: RST ACK Packet from Server to Proxy

Hi,

Hope you are doing well.

In the packet capture screenshot you provided It is seen that after MWG sending Client hello to destination server, it receives a RST response instead of Server hello response and SSL handshake is not successfully completed , SSL handshake failed message is being displayed by proxy.

 

The issue is reproducible  at my end  If I add a DNS Host entry for www.whois.com.au to use IP Address 64.62.140.72.

 

After this when I browse www.whois.com.au, I get the SSL handshake failed message.

 

This looks to be issue with server side and not with MWG.  

 

Attached snapshot of packet capture at my end.

 


Internet Protocol Version 4, Src: 172.19.212.189, Dst: 64.62.140.72
Transmission Control Protocol, Src Port: 56312, Dst Port: 443, Seq: 1, Ack: 1, Len: 517
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Extension: server_name
Type: server_name (0x0000)
Length: 21
Server Name Indication extension
Server Name list length: 19
Server Name Type: host_name (0)
Server Name length: 16
Server Name: www.whois.com.au

 

..............nV.=..

."$o1H..(Z..1..|...]......0.,.(.$...

.........k.j.i.h.9.8.7.6.........2...*.&.......=.5.../.+.'.#... .........g.@.?.>.3.2.1.0.E.D.C.B.1.-.).%.......<./.A.....Q.........www.whois.com.au.........

.

...........#...

.................................3t.........h2.http/1.1.....................................................................................................................................................................................................................................HTTP/1.1 400 Bad Request

Date: Wed, 21 Nov 2018 11:46:45 GMT

Server: Apache/2.4.7 (Ubuntu)

Content-Length: 305

Connection: close

Content-Type: text/html; charset=iso-8859-1

 

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>400 Bad Request</title>

</head><body>

<h1>Bad Request</h1>

<p>Your browser sent a request that this server could not understand.<br />

</p>

<hr>

<address>Apache/2.4.7 (Ubuntu) Server at whiskey.he.net Port 80</address>

</body></html>

 

 

Reverse DNS lookup for IP Address 64.62.140.72  gives me answer whois.com.au

 

You can for now add a DNS host entry for domain www.whois.com.au  to use IP Address 99.84.234.104  and check.

 

 

Regards

Alok Sarda

 

 

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: RST ACK Packet from Server to Proxy

Hi,

Also to mention without the host file entry with IP Address 64.62.140.72, URL works fine through proxy.

 

Below is the DNS resolution output from proxy.

 

[root@Alok-1 ~]# nslookup www.whois.com.au
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
www.whois.com.au canonical name = d1z6k7bx3taugg.cloudfront.net.
Name: d1z6k7bx3taugg.cloudfront.net
Address: 54.230.71.52
Name: d1z6k7bx3taugg.cloudfront.net
Address: 54.230.71.116
Name: d1z6k7bx3taugg.cloudfront.net
Address: 54.230.71.8
Name: d1z6k7bx3taugg.cloudfront.net
Address: 54.230.71.62

 

URL also works fine when pointed towards IP Address 99.84.234.104.

 

Regards

Alok Sarda

Re: RST ACK Packet from Server to Proxy

Please elaborate what is the IP address 99.84.234.104, because if i do DNS check the following IP's are listed for this domain:


1
www.whois.com.au
1z6k7bx3taugg.cloudfront.net./52.84.21.21
2
www.whois.com.au
1z6k7bx3taugg.cloudfront.net./52.84.21.253
3
www.whois.com.au
1z6k7bx3taugg.cloudfront.net./52.84.21.19
4
www.whois.com.au
1z6k7bx3taugg.cloudfront.net./52.84.21.63
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: RST ACK Packet from Server to Proxy

Hi,

IP Address 99.84.234.104 is the one which is seen in the output of SSLLabs.com  for URL www.whois.com.au  when I checked yesterday.

 

The site is basically hosted/served   using CloudFront  which is a content delivery network.

 

Regards

Alok Sarda

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center