Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Intermittent ERR_SSL_PROTOCOL_ERROR

    Cache/Proxy
    10
    17
    6037
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Norren93 last edited by

      what is the problem if I am experiencing intermittent ERR_SSL_PROTOCOL_ERROR when I visit webpages like google.com, yahoo.com. After a minute or 3 minutes it will come back fine again?

      1 Reply Last reply Reply Quote 2
      • KOM
        KOM last edited by

        You've supplied no useful information for anybody to even begin to help you.  And what's with the poll 'Did this helps'??

        Which version of pfSense?
        What packages are installed?
        Is this a consistent problem or intermittent?
        etc etc etc

        Don't make us have to pull information out of you like a dentist pulls a tooth.

        1 Reply Last reply Reply Quote 0
        • D
          diegoblos last edited by

          I'm having exactly the same problem.

          Sometimes the sites work normally and suddenly, the error starts for some sites.
          After a few minutes or attempts, the situation normalizes.

          PFSENSE: 2.4.3-RELEASE-p1

          SQUID: 3.5.27_3
          SQUIDGUARD: 1-4_15

          Proxy on Transparent Mode with SSL filtering.

          Splice Mode: Splice All
          SSl Proxy Compability Mode: Modern
          DHParams Key Size: 2048

          In the SQUID logs, what I find strange is that when the access fails, the sequence appears:

          TAG_NONE / 200
          TAG_NONE / 409

          1 Reply Last reply Reply Quote 0
          • R
            rjabellax5 last edited by

            You wouldn't be having these errors if you use PFBlockerNG DNSBL DNS filtering.

            1 Reply Last reply Reply Quote 0
            • D
              diegoblos last edited by

              Can you be more specific about this?

              1 Reply Last reply Reply Quote 0
              • J
                joao.nogueira last edited by

                Hi i have the same problem in facebook.com instagram.com and hootsuite.com, but i think this problem has connection with the squidguard, anyone managed to fix this?

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  When you see those errors it's almost always because the clients are using a different DNS server that Squid is.

                  https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log

                  Steve

                  1 Reply Last reply Reply Quote 2
                  • J
                    joao.nogueira last edited by

                    Ok i tried, let's see if it solves the problem, if yes i tell you, tks @stephenw10

                    1 Reply Last reply Reply Quote 0
                    • J
                      joao.nogueira last edited by

                      Tks Steve I think this problem has been solved

                      1 Reply Last reply Reply Quote 0
                      • V
                        vijay7 last edited by

                        Hello @joao-nogueira
                        Can you tell the steps you have followed to resolve this issue, we are facing the same issue, please help us.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10
                          stephenw10 Netgate Administrator last edited by

                          You must make sure both Squid and the clients connecting to it are using the same DNS servers.
                          Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.

                          Steve

                          V G 2 Replies Last reply Reply Quote 0
                          • V
                            vijay7 @stephenw10 last edited by

                            @stephenw10
                            can you send the steps what and where to configure in pfsense exactly?

                            thanks in advance.

                            1 Reply Last reply Reply Quote 0
                            • J
                              joao.nogueira last edited by joao.nogueira

                              Hi @vijay7 on those time I used the step on the link passed by @stephenw10 above, and for a short time this problem has been solved, but not resolved for always, in the last days I have the same problem again and make the steps again too, cause I don't have one DNS server without Pfsense. But I have another network with Pfsense + DNS Server and the situation is different.
                              Try the steps on your Pfsense:
                              https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log
                              and tell us more

                              And today I am studying put the DNS Server together Pfsense.
                              One more information about:
                              First situation = Just Pfsense alone, and make a job DNS, the DNS on Pfsense is configuring how Resolver

                              fa249435-5e6c-4d6a-8a53-218ce7566582-image.png

                              Second situation = DNS Server + Pfsense, DNS on Pfsense is configuring how Forwarder
                              f5cdc497-5407-4244-aa61-694747c2e3dc-image.png

                              1 Reply Last reply Reply Quote 0
                              • G
                                gwaitsi @stephenw10 last edited by

                                @stephenw10

                                @stephenw10 said in Intermittent ERR_SSL_PROTOCOL_ERROR:

                                You must make sure both Squid and the clients connecting to it are using the same DNS servers.
                                Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.

                                Steve

                                Hi Steve,

                                i have this same problem too. Happy reading the newspaper, or amazon, or aliexpress will be working fine and then suddenly return an SSL error. If i keep refreshing or go back and forth, it will come good after a short period.

                                Based on your comment, i see it may potentially be my problem.

                                • am using unbound with VPN as default gateway
                                • wan is fixed as gateway for some services
                                • general dns's have been defined as
                                  1.1.1.1 to VPN1
                                  9.9.9.9 to VPN2
                                  1.0.0.1 to VPN1
                                  9.9.9.10 to VPN2
                                  x.x.x.x to WAN
                                  y.y.y.y to WAN
                                • VPNs defined as Tier 1 and 2 with service down
                                • LAN1 and LAN2 DHCP has their own interface defined as DNS
                                • DNS trap rule to force devices with hard code dns to DHCP interface

                                Despite have unbound defined to use the VPN as the outgoing, DNS queries seem to go to servers at once.
                                I am wondering if based on what you said, the DNS squid is using get a response that is different to the client.

                                How does one force the DNS that squid should use. Particularly in the case of the VPN fallback

                                thx

                                1 Reply Last reply Reply Quote 0
                                • V
                                  vijay7 last edited by

                                  @gwaitsi you need to configure DNS address in General setup for the available WAN, VPNs, and do not configure any DNS in DHCP server settings, this will eliminate the issues.

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    remzej last edited by

                                    I've been having the same problem ever since but I managed to make it work perfectly. Just be sure to set 127.0.0.1 as the first DNS server by unchecking the Disable DNS Forwarder in General Setup.

                                    M 1 Reply Last reply Reply Quote 0
                                    • M
                                      MosfetWall @remzej last edited by

                                      @remzej
                                      Just want to say thanks !
                                      This issue was driving me insane but your post was illuminating ^_^.

                                      1 Reply Last reply Reply Quote 0
                                      • Referenced by  L letarch 
                                      • Referenced by  L letarch 
                                      • Referenced by  L letarch 
                                      • First post
                                        Last post