Intermittent ERR_SSL_PROTOCOL_ERROR

Norren93 · May 11, 2018, 6:27 AM

what is the problem if I am experiencing intermittent ERR_SSL_PROTOCOL_ERROR when I visit webpages like google.com, yahoo.com. After a minute or 3 minutes it will come back fine again?

KOM · May 11, 2018, 1:25 PM

You've supplied no useful information for anybody to even begin to help you. And what's with the poll 'Did this helps'??

Which version of pfSense?
What packages are installed?
Is this a consistent problem or intermittent?
etc etc etc

Don't make us have to pull information out of you like a dentist pulls a tooth.

diegoblos · Aug 1, 2018, 1:27 PM

I'm having exactly the same problem.

Sometimes the sites work normally and suddenly, the error starts for some sites.
After a few minutes or attempts, the situation normalizes.

PFSENSE: 2.4.3-RELEASE-p1

SQUID: 3.5.27_3
SQUIDGUARD: 1-4_15

Proxy on Transparent Mode with SSL filtering.

Splice Mode: Splice All
SSl Proxy Compability Mode: Modern
DHParams Key Size: 2048

In the SQUID logs, what I find strange is that when the access fails, the sequence appears:

TAG_NONE / 200
TAG_NONE / 409

rjabellax5 · Aug 2, 2018, 8:31 AM

You wouldn't be having these errors if you use PFBlockerNG DNSBL DNS filtering.

diegoblos · Aug 2, 2018, 12:14 PM

Can you be more specific about this?

joao.nogueira · Sep 21, 2018, 5:37 PM

Hi i have the same problem in facebook.com instagram.com and hootsuite.com, but i think this problem has connection with the squidguard, anyone managed to fix this?

stephenw10 · Sep 21, 2018, 7:50 PM

When you see those errors it's almost always because the clients are using a different DNS server that Squid is.

https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log

Steve

joao.nogueira · Sep 23, 2018, 3:45 PM

Ok i tried, let's see if it solves the problem, if yes i tell you, tks @stephenw10

joao.nogueira · Oct 5, 2018, 6:23 PM

Tks Steve I think this problem has been solved

vijay7 · Aug 5, 2019, 10:00 AM

Hello @joao-nogueira
Can you tell the steps you have followed to resolve this issue, we are facing the same issue, please help us.

stephenw10 · Aug 5, 2019, 1:16 PM

You must make sure both Squid and the clients connecting to it are using the same DNS servers.
Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.

Steve

vijay7 · Aug 5, 2019, 1:52 PM

@stephenw10
can you send the steps what and where to configure in pfsense exactly?

thanks in advance.

joao.nogueira · Aug 5, 2019, 1:55 PM

Hi @vijay7 on those time I used the step on the link passed by @stephenw10 above, and for a short time this problem has been solved, but not resolved for always, in the last days I have the same problem again and make the steps again too, cause I don't have one DNS server without Pfsense. But I have another network with Pfsense + DNS Server and the situation is different.
Try the steps on your Pfsense:
https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log
and tell us more

And today I am studying put the DNS Server together Pfsense.
One more information about:
First situation = Just Pfsense alone, and make a job DNS, the DNS on Pfsense is configuring how Resolver

Second situation = DNS Server + Pfsense, DNS on Pfsense is configuring how Forwarder

4o4rh · Sep 11, 2019, 3:49 PM

@stephenw10

@stephenw10 said in Intermittent ERR_SSL_PROTOCOL_ERROR:

You must make sure both Squid and the clients connecting to it are using the same DNS servers.
Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.

Steve

Hi Steve,

i have this same problem too. Happy reading the newspaper, or amazon, or aliexpress will be working fine and then suddenly return an SSL error. If i keep refreshing or go back and forth, it will come good after a short period.

Based on your comment, i see it may potentially be my problem.

am using unbound with VPN as default gateway
wan is fixed as gateway for some services
general dns's have been defined as
1.1.1.1 to VPN1
9.9.9.9 to VPN2
1.0.0.1 to VPN1
9.9.9.10 to VPN2
x.x.x.x to WAN
y.y.y.y to WAN
VPNs defined as Tier 1 and 2 with service down
LAN1 and LAN2 DHCP has their own interface defined as DNS
DNS trap rule to force devices with hard code dns to DHCP interface

Despite have unbound defined to use the VPN as the outgoing, DNS queries seem to go to servers at once.
I am wondering if based on what you said, the DNS squid is using get a response that is different to the client.

How does one force the DNS that squid should use. Particularly in the case of the VPN fallback

thx

vijay7 · Sep 11, 2019, 5:36 PM

@gwaitsi you need to configure DNS address in General setup for the available WAN, VPNs, and do not configure any DNS in DHCP server settings, this will eliminate the issues.

remzej · Dec 3, 2019, 9:07 AM

I've been having the same problem ever since but I managed to make it work perfectly. Just be sure to set 127.0.0.1 as the first DNS server by unchecking the Disable DNS Forwarder in General Setup.

MosfetWall · Dec 3, 2019, 9:07 AM

@remzej
Just want to say thanks !
This issue was driving me insane but your post was illuminating ^_^.

wendel_gt · Oct 31, 2023, 1:38 PM

@MosfetWall
Sirs,

Sorry to open this topic again! There are several solutions but I still have the same problem. Does anyone have a solution?

JonathanLee · Nov 1, 2023, 5:05 PM

If you are not using IPv6 try to disable AAAA access.

Services/DNS Resolver/General Settings

Under custom

server:
do-ip4: yes
prefer-ip4: yes
do-ip6: no
prefer-ip6: no
private-address: ::/0
dns64-ignore-aaaa: *.*
do-not-query-address: ::
do-not-query-address: ::1
do-not-query-address: ::/0