Backup fails with SSL or certificate error during certificate validation behind pfsense firewall


  • LAYER 8

    Am using Druva InSync remote backup to cloud and it fails to backup the clients behind pfsense firewall.

    From the logs, it seems that inSync client is not able to validate the SSL certificate that inSync cloud sends. We found that the inSync client is sending "Client Hello." packet but it is not receiving "Server Hello" packet.
    Server Hello" packet is the one in which the inSync cloud sends the certificate and post then the inSync client will trust the same and then will proceed with the data transfer.
    The backup runs on TCP SSL port 80 .

    Can someone help me resolve this



  • where did you perform the packet capture?
    Start by replicating the issue and performing a packet capture as far from the client as possible, and work your way in. For example:
    Client -> PFSense -> InSync Cloud
    Perform a packet capture and verify you see client AND server hellos between PFS and InSync cloud (On WAN interface). Next, perform a packet captrure between PFSense and the client (On LAN interface). Verify if client/server hellos are also present.

    Client and Server Hellos
    If present on WAN and not LAN, there is a rule blocking traffic somewhere. Verify Firewall rules, IDS/IPS, geo-protection, and NAT.
    If not present on WAN nor LAN, verify you're not attempting to access the service from a blocked IP. This is usually common when accessing services via a VPN provider. Things to check for in this case:
    -Confirm connectivity to the InSync Cloud. Ping, https, etc. anything to confirm you can communicate with the service
    -Verify client configuration for the backup is correct. I'm not familiar with this particular service, so perhaps the client config has a typo in the user/password, is configured to target an incorrect server, or the application may be throwing event logs explaining the issue.
    -Lastly, and probably not the case, Take the proposed cipher list from the client hello packet and confirm with InSync that they're configured to accept any of them.


Log in to reply