• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Backup fails with SSL or certificate error during certificate validation behind pfsense firewall

Scheduled Pinned Locked Moved Firewalling
2 Posts 2 Posters 243 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    philipo LAYER 8
    last edited by Feb 11, 2019, 8:45 AM

    Am using Druva InSync remote backup to cloud and it fails to backup the clients behind pfsense firewall.

    From the logs, it seems that inSync client is not able to validate the SSL certificate that inSync cloud sends. We found that the inSync client is sending "Client Hello." packet but it is not receiving "Server Hello" packet.
    Server Hello" packet is the one in which the inSync cloud sends the certificate and post then the inSync client will trust the same and then will proceed with the data transfer.
    The backup runs on TCP SSL port 80 .

    Can someone help me resolve this

    1 Reply Last reply Reply Quote 0
    • I
      isolatedvirus
      last edited by Feb 21, 2019, 5:34 AM

      where did you perform the packet capture?
      Start by replicating the issue and performing a packet capture as far from the client as possible, and work your way in. For example:
      Client -> PFSense -> InSync Cloud
      Perform a packet capture and verify you see client AND server hellos between PFS and InSync cloud (On WAN interface). Next, perform a packet captrure between PFSense and the client (On LAN interface). Verify if client/server hellos are also present.

      Client and Server Hellos
      If present on WAN and not LAN, there is a rule blocking traffic somewhere. Verify Firewall rules, IDS/IPS, geo-protection, and NAT.
      If not present on WAN nor LAN, verify you're not attempting to access the service from a blocked IP. This is usually common when accessing services via a VPN provider. Things to check for in this case:
      -Confirm connectivity to the InSync Cloud. Ping, https, etc. anything to confirm you can communicate with the service
      -Verify client configuration for the backup is correct. I'm not familiar with this particular service, so perhaps the client config has a typo in the user/password, is configured to target an incorrect server, or the application may be throwing event logs explaining the issue.
      -Lastly, and probably not the case, Take the proposed cipher list from the client hello packet and confirm with InSync that they're configured to accept any of them.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received