cancel
Showing results for 
Search instead for 
Did you mean: 

Users at a remote site unable to get to our VPN. SSL negotiation failed. Reason: Unknown Protocol

New Contributor

Users at a remote site unable to get to our VPN. SSL negotiation failed. Reason: Unknown Protocol

We have some people that are at a remote site and unable to access our VPN. They are able to get to the internet, but when they go to the URL to log into the VPN they just get a generic browser error saying "Internet Explorer cannot display the webpage".

When we look in our logs, I see the following entry when they attempt to hit the VPN page:

PulseSecure: 2016-04-28 21:26:34 - ive - [XXX.XXX.XXX.XXX] System()[] - SSL negotiation failed while client at source IP 'XXX.XXX.XXX.XXX' was trying to connect to 'XXX.XXX.XXX.XXX'. Reason: 'unknown protocol'

(The IPs were intentionally X'd out).

Our allowed SSL and TLS Version setting is "Accept only TLS 1.1 and later". I did confirm that in the Internet Explorer Internet Options that they have Use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 selected in the Advanced settings.

The issue is limited only to people at a specific remote site. Everyone else seems to be able to access the VPN just fine. We also had the people having issues try 2 of our other SSL VPN appliances and they are having exactly the same issue. All of the SSL VPNs are configured the same way.

Would anyone have a clue what might be causing this error?

Our PulseSecure System Info:
Model: SA-4500
Current Version: 8.1R6 (build 39491)

Thank you!
3 REPLIES 3
ruc
Pulser

Re: Users at a remote site unable to get to our VPN. SSL negotiation failed. Reason: Unknown Protocol

My guess is that there may be an explicit proxy or transparent proxy that is brokering connections between the users and Pulse gateway device. And this intermediate device is probably not using a TLS version or cipher suite that is allowed on your Pulse Gateway.

The only way to find the root cause is to start a tcpdump on the PCS gateway (under Admin GUI > troubleshooting) and then have a user attempt a connection (use a filter for user's source IP so the trace is not overwhelming) Once the issue is replicated stop the tcpdump and view using the SSLdump option. This will show the actual TLS handshake and why it failed.

Hope this helps
New Contributor

Re: Users at a remote site unable to get to our VPN. SSL negotiation failed. Reason: Unknown Protocol

Thank you for the response! This helps to confirm what one of our engineers thought was going on. We'll run that tcpdump to verify.
Moderator

Re: Users at a remote site unable to get to our VPN. SSL negotiation failed. Reason: Unknown Protocol

To help rule in/out a proxy or other issue on that site network, do they have a local appliance that they can test with that has SSLv3 and higher enabled OR do you have a VM server that you can put a sample virtual appliance on for testing?

Are you using the default cipher suite or have you customized that? If you have it customized, and the TCP dump/SSLDump view will help confirm this as a failure point, do you have RC4 disabled?