Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Backup fails with SSL or certificate error during certificate validation behind pfsense firewall

    Firewalling
    2
    2
    211
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      philipo LAYER 8
      last edited by

      Am using Druva InSync remote backup to cloud and it fails to backup the clients behind pfsense firewall.

      From the logs, it seems that inSync client is not able to validate the SSL certificate that inSync cloud sends. We found that the inSync client is sending "Client Hello." packet but it is not receiving "Server Hello" packet.
      Server Hello" packet is the one in which the inSync cloud sends the certificate and post then the inSync client will trust the same and then will proceed with the data transfer.
      The backup runs on TCP SSL port 80 .

      Can someone help me resolve this

      1 Reply Last reply Reply Quote 0
      • I
        isolatedvirus
        last edited by

        where did you perform the packet capture?
        Start by replicating the issue and performing a packet capture as far from the client as possible, and work your way in. For example:
        Client -> PFSense -> InSync Cloud
        Perform a packet capture and verify you see client AND server hellos between PFS and InSync cloud (On WAN interface). Next, perform a packet captrure between PFSense and the client (On LAN interface). Verify if client/server hellos are also present.

        Client and Server Hellos
        If present on WAN and not LAN, there is a rule blocking traffic somewhere. Verify Firewall rules, IDS/IPS, geo-protection, and NAT.
        If not present on WAN nor LAN, verify you're not attempting to access the service from a blocked IP. This is usually common when accessing services via a VPN provider. Things to check for in this case:
        -Confirm connectivity to the InSync Cloud. Ping, https, etc. anything to confirm you can communicate with the service
        -Verify client configuration for the backup is correct. I'm not familiar with this particular service, so perhaps the client config has a typo in the user/password, is configured to target an incorrect server, or the application may be throwing event logs explaining the issue.
        -Lastly, and probably not the case, Take the proposed cipher list from the client hello packet and confirm with InSync that they're configured to accept any of them.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.