• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Intermittent ERR_SSL_PROTOCOL_ERROR

Scheduled Pinned Locked Moved Cache/Proxy
19 Posts 12 Posters 9.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    Norren93
    last edited by May 11, 2018, 6:27 AM

    what is the problem if I am experiencing intermittent ERR_SSL_PROTOCOL_ERROR when I visit webpages like google.com, yahoo.com. After a minute or 3 minutes it will come back fine again?

    1 Reply Last reply Reply Quote 2
    • K
      KOM
      last edited by May 11, 2018, 1:25 PM

      You've supplied no useful information for anybody to even begin to help you.  And what's with the poll 'Did this helps'??

      Which version of pfSense?
      What packages are installed?
      Is this a consistent problem or intermittent?
      etc etc etc

      Don't make us have to pull information out of you like a dentist pulls a tooth.

      1 Reply Last reply Reply Quote 0
      • D
        diegoblos
        last edited by Aug 1, 2018, 1:27 PM

        I'm having exactly the same problem.

        Sometimes the sites work normally and suddenly, the error starts for some sites.
        After a few minutes or attempts, the situation normalizes.

        PFSENSE: 2.4.3-RELEASE-p1

        SQUID: 3.5.27_3
        SQUIDGUARD: 1-4_15

        Proxy on Transparent Mode with SSL filtering.

        Splice Mode: Splice All
        SSl Proxy Compability Mode: Modern
        DHParams Key Size: 2048

        In the SQUID logs, what I find strange is that when the access fails, the sequence appears:

        TAG_NONE / 200
        TAG_NONE / 409

        1 Reply Last reply Reply Quote 0
        • R
          rjabellax5
          last edited by Aug 2, 2018, 8:31 AM

          You wouldn't be having these errors if you use PFBlockerNG DNSBL DNS filtering.

          1 Reply Last reply Reply Quote 0
          • D
            diegoblos
            last edited by Aug 2, 2018, 12:14 PM

            Can you be more specific about this?

            1 Reply Last reply Reply Quote 0
            • J
              joao.nogueira
              last edited by Sep 21, 2018, 5:37 PM

              Hi i have the same problem in facebook.com instagram.com and hootsuite.com, but i think this problem has connection with the squidguard, anyone managed to fix this?

              1 Reply Last reply Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Sep 21, 2018, 7:50 PM

                When you see those errors it's almost always because the clients are using a different DNS server that Squid is.

                https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log

                Steve

                1 Reply Last reply Reply Quote 2
                • J
                  joao.nogueira
                  last edited by Sep 23, 2018, 3:45 PM

                  Ok i tried, let's see if it solves the problem, if yes i tell you, tks @stephenw10

                  1 Reply Last reply Reply Quote 0
                  • J
                    joao.nogueira
                    last edited by Oct 5, 2018, 6:23 PM

                    Tks Steve I think this problem has been solved

                    1 Reply Last reply Reply Quote 0
                    • V
                      vijay7
                      last edited by Aug 5, 2019, 10:00 AM

                      Hello @joao-nogueira
                      Can you tell the steps you have followed to resolve this issue, we are facing the same issue, please help us.

                      1 Reply Last reply Reply Quote 0
                      • S
                        stephenw10 Netgate Administrator
                        last edited by Aug 5, 2019, 1:16 PM

                        You must make sure both Squid and the clients connecting to it are using the same DNS servers.
                        Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.

                        Steve

                        V 4 2 Replies Last reply Aug 5, 2019, 1:52 PM Reply Quote 0
                        • V
                          vijay7 @stephenw10
                          last edited by Aug 5, 2019, 1:52 PM

                          @stephenw10
                          can you send the steps what and where to configure in pfsense exactly?

                          thanks in advance.

                          1 Reply Last reply Reply Quote 0
                          • J
                            joao.nogueira
                            last edited by joao.nogueira Aug 5, 2019, 1:55 PM Aug 5, 2019, 1:54 PM

                            Hi @vijay7 on those time I used the step on the link passed by @stephenw10 above, and for a short time this problem has been solved, but not resolved for always, in the last days I have the same problem again and make the steps again too, cause I don't have one DNS server without Pfsense. But I have another network with Pfsense + DNS Server and the situation is different.
                            Try the steps on your Pfsense:
                            https://www.netgate.com/docs/pfsense/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log
                            and tell us more

                            And today I am studying put the DNS Server together Pfsense.
                            One more information about:
                            First situation = Just Pfsense alone, and make a job DNS, the DNS on Pfsense is configuring how Resolver

                            fa249435-5e6c-4d6a-8a53-218ce7566582-image.png

                            Second situation = DNS Server + Pfsense, DNS on Pfsense is configuring how Forwarder
                            f5cdc497-5407-4244-aa61-694747c2e3dc-image.png

                            1 Reply Last reply Reply Quote 0
                            • 4
                              4o4rh @stephenw10
                              last edited by Sep 11, 2019, 3:49 PM

                              @stephenw10

                              @stephenw10 said in Intermittent ERR_SSL_PROTOCOL_ERROR:

                              You must make sure both Squid and the clients connecting to it are using the same DNS servers.
                              Squid uses Unbound in pfSense by default but if the clients are not using that you can configure Squid to use whatever the clients are using.

                              Steve

                              Hi Steve,

                              i have this same problem too. Happy reading the newspaper, or amazon, or aliexpress will be working fine and then suddenly return an SSL error. If i keep refreshing or go back and forth, it will come good after a short period.

                              Based on your comment, i see it may potentially be my problem.

                              • am using unbound with VPN as default gateway
                              • wan is fixed as gateway for some services
                              • general dns's have been defined as
                                1.1.1.1 to VPN1
                                9.9.9.9 to VPN2
                                1.0.0.1 to VPN1
                                9.9.9.10 to VPN2
                                x.x.x.x to WAN
                                y.y.y.y to WAN
                              • VPNs defined as Tier 1 and 2 with service down
                              • LAN1 and LAN2 DHCP has their own interface defined as DNS
                              • DNS trap rule to force devices with hard code dns to DHCP interface

                              Despite have unbound defined to use the VPN as the outgoing, DNS queries seem to go to servers at once.
                              I am wondering if based on what you said, the DNS squid is using get a response that is different to the client.

                              How does one force the DNS that squid should use. Particularly in the case of the VPN fallback

                              thx

                              1 Reply Last reply Reply Quote 0
                              • V
                                vijay7
                                last edited by Sep 11, 2019, 5:36 PM

                                @gwaitsi you need to configure DNS address in General setup for the available WAN, VPNs, and do not configure any DNS in DHCP server settings, this will eliminate the issues.

                                1 Reply Last reply Reply Quote 0
                                • R
                                  remzej
                                  last edited by Oct 27, 2019, 3:15 PM

                                  I've been having the same problem ever since but I managed to make it work perfectly. Just be sure to set 127.0.0.1 as the first DNS server by unchecking the Disable DNS Forwarder in General Setup.

                                  M 1 Reply Last reply Dec 3, 2019, 9:07 AM Reply Quote 0
                                  • M
                                    MosfetWall @remzej
                                    last edited by Dec 3, 2019, 9:07 AM

                                    @remzej
                                    Just want to say thanks !
                                    This issue was driving me insane but your post was illuminating ^_^.

                                    W 1 Reply Last reply Oct 31, 2023, 1:38 PM Reply Quote 0
                                    • L letarch referenced this topic on Jan 14, 2022, 10:43 AM
                                    • L letarch referenced this topic on Jan 14, 2022, 10:44 AM
                                    • L letarch referenced this topic on Jan 14, 2022, 1:10 PM
                                    • W
                                      wendel_gt @MosfetWall
                                      last edited by Oct 31, 2023, 1:38 PM

                                      @MosfetWall
                                      Sirs,

                                      Sorry to open this topic again! There are several solutions but I still have the same problem. Does anyone have a solution?

                                      1 Reply Last reply Reply Quote 0
                                      • JonathanLeeJ
                                        JonathanLee
                                        last edited by Nov 1, 2023, 5:05 PM

                                        If you are not using IPv6 try to disable AAAA access.

                                        Services/DNS Resolver/General Settings

                                        Under custom

                                        server:
                                        do-ip4: yes
                                        prefer-ip4: yes
                                        do-ip6: no
                                        prefer-ip6: no
                                        private-address: ::/0
                                        dns64-ignore-aaaa: *.*
                                        do-not-query-address: ::
                                        do-not-query-address: ::1
                                        do-not-query-address: ::/0
                                        

                                        Screenshot 2023-11-01 at 10.04.45 AM.png

                                        Make sure to upvote

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                          This community forum collects and processes your personal information.
                                          consent.not_received