This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

change cipher spec encrypted handshake message - page blocked internal

0

Hello, first time posting here. Not exactly sure the protocol on what to post I shall do my best.

I've got an HR user that connects to a secure website:

https://sbsftp.benefitfocus.com/

When I give my laptop public IP and try from outside firewall the connection works, and wireshark says:

82  6.152399000 74.213.141.49   **MachinePublicIP** TCP 60  443→54768 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
96  8.009220000 74.213.141.49   **MachinePublicIP** TCP 62  443→55209 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1380 SACK_PERM=1

followed by server hello, certificate, client key exchange, then packets that look like this

108 8.120849000 74.213.141.49   **MachinePublicIP** TLSv1   725 Application Data, Application Data, Encrypted Alert

When I try from inside, browser gives 'err-connection-closed' error and will not connect.

I get this from wireshark RED row(s)

262 9.656649000 74.213.141.49   **MachineinternalIP**   TCP 60  443→53427 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

followed by similar packets - the port 443->53427 - the second number increments with each error.

Thanks for any help!

Brent

asked 05 May '15, 09:14

FrankChibu's gravatar image

FrankChibu
6112
accept rate: 0%

edited 05 May '15, 09:23

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

It seems you are still using the public IP on your laptop when connecting from inside? That's what the text you posted shows (74.213.141.49 used in both cases).

The "error" case you show looks like your client is closing the connection, what was the URL you used in the "internal" case? If it's the "internal IP" of the server, then it's likely not to match the info in the server certificate and so the client will close the connection. This is more likely if the RST occurs after receipt of the server certificate.

Update:

OK I misread the text, thinking that packet was the client SYN, but it's obviously the server SYN ACK back. Yet more proof that analysis by text snippet is awkward.

So the server is issuing the RST, this makes me think it's more likely that something in the network path from the client to the server (router or server itself) is configured to reject connection attempts to the external IP from an internal route.

Note: Analysing issues using portions of text output is a bit of guesswork, much better to post a capture somewhere publically (cloudshark, Google Drive, Dropbox etc.), using an anonymiser such as TraceWrangler if necessary.

answered 05 May '15, 09:32

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 05 May '15, 10:39

Hi. I am using class C internal (10. ) -didn't want to publish that. Same for public IP - just didnt want to publish. The 74.213.141.49 is- the destination ip for -> https://sbsftp.benefitfocus.com/

The client is a browser (any browser). This used to work, and does from other Geo sites

I'll upload the entire capture to dropbox when I can, wanted to answer these questions now.

Thanks!

(05 May '15, 10:26) FrankChibu
(05 May '15, 10:48) FrankChibu

Those files appear to be text exports from the captures, and as I've mentioned analysing text isn't great, as we can't use all the great facilities in Wireshark.

Can you provide the actual capture files?

(06 May '15, 08:02) grahamb ♦

Thanks for the feedback. Wireshark is pretty new to me.. how do I get the actual capture files?

Many thanks!

(06 May '15, 08:27) FrankChibu

From the menu, File |> Save.

(06 May '15, 09:01) grahamb ♦

This will include all internal and public IPs... can't do that.

Could you gleam anything from an outside (working) capture only?

(06 May '15, 10:12) FrankChibu

As I mentioned above

using an anonymiser such as TraceWrangler if necessary.
(06 May '15, 11:11) grahamb ♦
(06 May '15, 12:07) FrankChibu

I have the same issue with the above mentioned website at my facility. What was involved in the this case to correct the issue?

(22 Sep '15, 08:25) radionite
showing 5 of 9 show 4 more comments