Intermittent ERR_SSL_PROTOCOL_ERROR
-
what is the problem if I am experiencing intermittent ERR_SSL_PROTOCOL_ERROR when I visit webpages like google.com, yahoo.com. After a minute or 3 minutes it will come back fine again?
-
You've supplied no useful information for anybody to even begin to help you. And what's with the poll 'Did this helps'??
Which version of pfSense?
What packages are installed?
Is this a consistent problem or intermittent?
etc etc etcDon't make us have to pull information out of you like a dentist pulls a tooth.
-
I'm having exactly the same problem.
Sometimes the sites work normally and suddenly, the error starts for some sites.
After a few minutes or attempts, the situation normalizes.PFSENSE: 2.4.3-RELEASE-p1
SQUID: 3.5.27_3
SQUIDGUARD: 1-4_15Proxy on Transparent Mode with SSL filtering.
Splice Mode: Splice All
SSl Proxy Compability Mode: Modern
DHParams Key Size: 2048In the SQUID logs, what I find strange is that when the access fails, the sequence appears:
TAG_NONE / 200
TAG_NONE / 409 -
You wouldn't be having these errors if you use PFBlockerNG DNSBL DNS filtering.
-
Can you be more specific about this?
-
Hi i have the same problem in facebook.com instagram.com and hootsuite.com, but i think this problem has connection with the squidguard, anyone managed to fix this?
-
When you see those errors it's almost always because the clients are using a different DNS server that Squid is.
https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log
Steve
-
Ok i tried, let's see if it solves the problem, if yes i tell you, tks @stephenw10
-
Tks Steve I think this problem has been solved
-
Hello @joao-nogueira
Can you tell the steps you have followed to resolve this issue, we are facing the same issue, please help us. -
You must make sure both Squid and the clients connecting to it are using the same DNS servers.
Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.Steve
-
@stephenw10
can you send the steps what and where to configure in pfsense exactly?thanks in advance.
-
Hi @vijay7 on those time I used the step on the link passed by @stephenw10 above, and for a short time this problem has been solved, but not resolved for always, in the last days I have the same problem again and make the steps again too, cause I don't have one DNS server without Pfsense. But I have another network with Pfsense + DNS Server and the situation is different.
Try the steps on your Pfsense:
https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log
and tell us moreAnd today I am studying put the DNS Server together Pfsense.
One more information about:
First situation = Just Pfsense alone, and make a job DNS, the DNS on Pfsense is configuring how Resolver
Second situation = DNS Server + Pfsense, DNS on Pfsense is configuring how Forwarder
-
@stephenw10 said in Intermittent ERR_SSL_PROTOCOL_ERROR:
You must make sure both Squid and the clients connecting to it are using the same DNS servers.
Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.Steve
Hi Steve,
i have this same problem too. Happy reading the newspaper, or amazon, or aliexpress will be working fine and then suddenly return an SSL error. If i keep refreshing or go back and forth, it will come good after a short period.
Based on your comment, i see it may potentially be my problem.
- am using unbound with VPN as default gateway
- wan is fixed as gateway for some services
- general dns's have been defined as
1.1.1.1 to VPN1
9.9.9.9 to VPN2
1.0.0.1 to VPN1
9.9.9.10 to VPN2
x.x.x.x to WAN
y.y.y.y to WAN - VPNs defined as Tier 1 and 2 with service down
- LAN1 and LAN2 DHCP has their own interface defined as DNS
- DNS trap rule to force devices with hard code dns to DHCP interface
Despite have unbound defined to use the VPN as the outgoing, DNS queries seem to go to servers at once.
I am wondering if based on what you said, the DNS squid is using get a response that is different to the client.How does one force the DNS that squid should use. Particularly in the case of the VPN fallback
thx
-
@gwaitsi you need to configure DNS address in General setup for the available WAN, VPNs, and do not configure any DNS in DHCP server settings, this will eliminate the issues.
-
I've been having the same problem ever since but I managed to make it work perfectly. Just be sure to set 127.0.0.1 as the first DNS server by unchecking the Disable DNS Forwarder in General Setup.
-
@remzej
Just want to say thanks !
This issue was driving me insane but your post was illuminating ^_^. -
L letarch referenced this topic on
-
L letarch referenced this topic on
-
L letarch referenced this topic on
-
@MosfetWall
Sirs,Sorry to open this topic again! There are several solutions but I still have the same problem. Does anyone have a solution?
-
If you are not using IPv6 try to disable AAAA access.
Services/DNS Resolver/General Settings
Under custom
server: do-ip4: yes prefer-ip4: yes do-ip6: no prefer-ip6: no private-address: ::/0 dns64-ignore-aaaa: *.* do-not-query-address: :: do-not-query-address: ::1 do-not-query-address: ::/0
