can't connect to https websites

[jerryekos]

Hi,

I am only using wingate for NAT; no restrictions, policy , interception or whatever.

Wingate seems to act weird.

initially i could only visit ssl sites, and later it rectified itself. Unfortunately, now I can no longer connect to any ssl sites (twitter, google mail, and any sites with https://)

I have disabled my firewalls and almost every policy, but still can not get it to connect.

Any Help?

[adrien]

Hi

make sure that you aren't intercepting port 443 in the WWW proxy. This breaks https (until we release 7.3 with https inspection when this all changes).

Alternatively, configure your client browsers to use a proxy, rather than intercepting connections. This is recommended esp if you want to use authentication at the proxy.

Regards

Adrien

[jerryekos]

I have disabled every single proxy, policy.

I am running simple Network address translation.

All https sites are not connecting and rtmp streaming sites.

[adrien]

So in WinGate Management, on the activity screen, do the https connections show up as

NAT: TCP connection to ...... : 443

?

Regards

Adrien

[jerryekos]

yes. There are tcp connections to 443 on the activity page.

[adrien]

so what error do you see in the client?

If the NAT connection is going through on port 443, the sorts of issues that can crop up after that are things like:

* upstream issues - e.g. an upstream firewall blocking port 443 or something.
* bandwidth control issues (e.g. choking or under-prioritising port 443)
* inability to validate a server cert - this is done using further http requests, which if blocked by a firewall can result in failure to validate certs
* MTU - we've seen issues with https in the past where some link in the path to the server has a reduced MTU, e.g. if your internet connection has a reduced MTU and your network adapter doesn't adjust properly.

To test MTU, you use ping from the command line. e.g.

ping 210.55.214.35 -f -l 1472

will send a ping with 1472 bytes payload (+ 28 bytes ICMP/IP overhead = 1500 bytes which is typical MTU). If that fails with "packet must be fragmented but..." then reduce the number until you find the MTU, then set network adapter MTU to that value or slightly smaller.

Regards

Adrien

[jerryekos]

Thanks for your response.

Wingate is just acting plain weird.

*Firewalls on the server and clients are completely deactivated.
*No problem with the internet connectivity. I am using an Amazon EC2 server and it accesses https. So, that settles the upstream.
* pinging with 1472 bytes works.
*The client's web browser, when connecting to https, just keeps connecting indefinitely until it stops. I have also tried different clients (all windows based).

Additionally, sometimes https://twitter.com loads its home page but does not browse any more. Also, youtube connects infrequently but does not stream any videos.
I also cannot watch most rtmp streams, with a server not found error.
This errors are completely absent from the server side. And when i initially setup wingate, clients could access https just fine. The problems just started suddenly.

Thanks.

[adrien]

Hi

I can have a look remotely at your system if you like. Just send an email to support@wingate.com

we normally recommend Teamviewer.

Regards

Adrien

[jerryekos]

Thanks man, I have finally resolved the issue.

It was my openvpn configuration settings...

commenting out mssfix and fragment options seemed to fix the issue.

Thanks adrian.