Bizarre HTTPS issues...

TechLarry

TechLarry

RIP [H] Brother - June 1, 2022
Joined
Aug 9, 2005
Messages
30,481
Ok, I'm stumped...

Running Vista Ultimate. For some reason, several of the HTTPS sites I access will not load in IE.

But some do.

These are corprate sites so I can't really provide examples unfortuntely.

I had the same issue with XP.

I have no software firewalls. No third-party Spyware apps running.

Funny thing is, if I load up VPC, and try to access the sites from there (on the SAME computer), the sites are accessible fine.

The only common item I can think of between the XP and Vista loads where the issue exists is NOD32.

The VPC host has SAV instead of NOD32.

Is there something in NOD32 that can block access to _certain_ https sites?
 
When I have had similar HTTPS issues in the past, it was NAT that caused the problem.
 
Hmmm... Always been NAT here, but I don't recall if the issue started when I installed the DLink DGL-4300.

Plus, that would not explain why the WinXP running under VirtualPC works fine. It hits the same router.

Why would it block some HTTPS and not others?
 
Maybe IE7 is trying to validate the site's SSL cert via OCSP but can't.. Have you tried disabling OCSP?
 
Hey, that's a damned fine idea! Now that you mention it, I think the affected sites that fail do normally bring up certificate windows first. Hmmm.....

The VPC host XP is indeed running IE6.

I'll take a look!

Thanks :)
 
Ok, can't find it. Where is this setting? Help system came up bust too.

Thanks

jmphx said:
Maybe IE7 is trying to validate the site's SSL cert via OCSP but can't.. Have you tried disabling OCSP?
Click to expand...
 
Ugh. Sorry for the newbie move. Dayum....

I forgot to mention the issue exists with IE or Firefox.

Sorry :(
 
The last time I ran into this problem, the firewalls where a CheckPoint NGX R65 cluster. One of the nodes had a conflicting IP address which cause NAT to behave erratically and randomly drop packets. I know you're not running CheckPoint, but just some added info for you.
 
As a matter of fact, I do have CheckPoint SecureRemote running so I can access the firm firewalled products.

However, the VPC WinXP host also has SecureClient running.

That's what is really confusing about all of this. The VPC XP host is configured with the same software (except NOD32), as the actual machine and it has no issues.

However it's an easy test to log out of CheckPoint and test. I'll do that...
 
Well, that didn't work out.

Even though they are HTTPS sites, I have to have SecureRemote running to reach them.

This is very strange...
 
When you're running under VPC, are you establishing the VPN tunnel within the VPC client, or is the Vista box handling the tunnel at that point?

If you run a packet cap and compare between the working and non-working clients, do the packet sequences match up? You won't be able to decode them, since the payload is encrypted, but what I'm getting at is do you see any unexpected packet fragmentation where DNF (do not fragment) is set in the packet? Another quick way to check for something like this, if you don't have Netmon or Wireshark loaded, is to set the MTU on your network adapter to something around 1000 and see if the sites start working (MTU change requires reboot)

... and Yes, I may sound crazy, but I've actually seen it happen... usually there's other things that fail besides https connections, but you may not notice or be doing anything else where this type of fragmentation happens... It's usually something with the router.....
 
The VPC XP Host is setting up it's own VPN Tunnel. It acts just like a separate machine when running. Different network name, different VPN Tunnel, etc... It is simply sharing the machine's Network connection.

My only problem with thinking it's the router is why the XP VPC host, acting as a separate machine and going through the same router, doesn't have issues.

My gut is still telling me it's something to do with NOD32. The only way I'm going to resolve this feeling is to temporarily uninstall it and test.



jpochedl said:
When you're running under VPC, are you establishing the VPN tunnel within the VPC client, or is the Vista box handling the tunnel at that point?

If you run a packet cap and compare between the working and non-working clients, do the packet sequences match up? You won't be able to decode them, since the payload is encrypted, but what I'm getting at is do you see any unexpected packet fragmentation where DNF (do not fragment) is set in the packet? Another quick way to check for something like this, if you don't have Netmon or Wireshark loaded, is to set the MTU on your network adapter to something around 1000 and see if the sites start working (MTU change requires reboot)

... and Yes, I may sound crazy, but I've actually seen it happen... usually there's other things that fail besides https connections, but you may not notice or be doing anything else where this type of fragmentation happens... It's usually something with the router.....
Click to expand...
 
Ok, here's yet another strange tidbit.

I found that I can upload to the WebFTP (HTTPS based system) if the file is small, say 1MB or less. But if it is a larger it fails.

The same file, uploaded under the XP VPC host, through the same network and router and connected with the same SecureRemote, uploads fine.

Just what the hell the difference between the machine and the VPC host running on it is beyond me. Again, the only difference I know is NOD32 (not on the VPC Host).
 
You must log in or register to reply here.
Back
Top