Intermittent ERR_SSL_PROTOCOL_ERROR

Norren93

what is the problem if I am experiencing intermittent ERR_SSL_PROTOCOL_ERROR when I visit webpages like google.com, yahoo.com. After a minute or 3 minutes it will come back fine again?

KOM

You've supplied no useful information for anybody to even begin to help you.  And what's with the poll 'Did this helps'??

Which version of pfSense?
What packages are installed?
Is this a consistent problem or intermittent?
etc etc etc

Don't make us have to pull information out of you like a dentist pulls a tooth.

diegoblos

I'm having exactly the same problem.

Sometimes the sites work normally and suddenly, the error starts for some sites.
After a few minutes or attempts, the situation normalizes.

PFSENSE: 2.4.3-RELEASE-p1

SQUID: 3.5.27_3
SQUIDGUARD: 1-4_15

Proxy on Transparent Mode with SSL filtering.

Splice Mode: Splice All
SSl Proxy Compability Mode: Modern
DHParams Key Size: 2048

In the SQUID logs, what I find strange is that when the access fails, the sequence appears:

TAG_NONE / 200
TAG_NONE / 409

rjabellax5

You wouldn't be having these errors if you use PFBlockerNG DNSBL DNS filtering.

diegoblos

Can you be more specific about this?

joao.nogueira

Hi i have the same problem in facebook.com instagram.com and hootsuite.com, but i think this problem has connection with the squidguard, anyone managed to fix this?

stephenw10

When you see those errors it's almost always because the clients are using a different DNS server that Squid is.

https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log

Steve

joao.nogueira

Ok i tried, let's see if it solves the problem, if yes i tell you, tks @stephenw10

joao.nogueira

Tks Steve I think this problem has been solved

vijay7

Hello @joao-nogueira
Can you tell the steps you have followed to resolve this issue, we are facing the same issue, please help us.

stephenw10

You must make sure both Squid and the clients connecting to it are using the same DNS servers.
Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.

Steve

vijay7

@stephenw10
can you send the steps what and where to configure in pfsense exactly?

thanks in advance.

joao.nogueira

Hi @vijay7 on those time I used the step on the link passed by @stephenw10 above, and for a short time this problem has been solved, but not resolved for always, in the last days I have the same problem again and make the steps again too, cause I don't have one DNS server without Pfsense. But I have another network with Pfsense + DNS Server and the situation is different.
Try the steps on your Pfsense:
https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log
and tell us more

And today I am studying put the DNS Server together Pfsense.
One more information about:
First situation = Just Pfsense alone, and make a job DNS, the DNS on Pfsense is configuring how Resolver

Second situation = DNS Server + Pfsense, DNS on Pfsense is configuring how Forwarder

gwaitsi

@stephenw10

@stephenw10 said in Intermittent ERR_SSL_PROTOCOL_ERROR:

You must make sure both Squid and the clients connecting to it are using the same DNS servers.
Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.

Steve

Hi Steve,

i have this same problem too. Happy reading the newspaper, or amazon, or aliexpress will be working fine and then suddenly return an SSL error. If i keep refreshing or go back and forth, it will come good after a short period.

Based on your comment, i see it may potentially be my problem.

• am using unbound with VPN as default gateway
• wan is fixed as gateway for some services
• general dns's have been defined as
  1.1.1.1 to VPN1
  9.9.9.9 to VPN2
  1.0.0.1 to VPN1
  9.9.9.10 to VPN2
  x.x.x.x to WAN
  y.y.y.y to WAN
• VPNs defined as Tier 1 and 2 with service down
• LAN1 and LAN2 DHCP has their own interface defined as DNS
• DNS trap rule to force devices with hard code dns to DHCP interface

Despite have unbound defined to use the VPN as the outgoing, DNS queries seem to go to servers at once.
I am wondering if based on what you said, the DNS squid is using get a response that is different to the client.

How does one force the DNS that squid should use. Particularly in the case of the VPN fallback

thx

vijay7

@gwaitsi you need to configure DNS address in General setup for the available WAN, VPNs, and do not configure any DNS in DHCP server settings, this will eliminate the issues.

remzej

I've been having the same problem ever since but I managed to make it work perfectly. Just be sure to set 127.0.0.1 as the first DNS server by unchecking the Disable DNS Forwarder in General Setup.

MosfetWall

@remzej
Just want to say thanks !
This issue was driving me insane but your post was illuminating ^_^.