[IAG] After turning on SSL content identification, the website added in SSL content identification cannot be opened
Problem Description
After turning on SSL content recognition, QQ mailbox cannot be opened. After turning off SSL content recognition, it is normal
759055b670ddcf2621.png (35.71 KB)
Process——
- The test is normal after turning off SSL content identification
- The device is deployed with dual bridges and can access the Internet
- The root certificate has been installed on the PC
- Capture the packet and check that both bridges received the packet.
- Comparing the messages, we found that the data flow is that the WAN port of bridge 2 received the message first and sent it to the LAN port
- Then the LAN port of bridge 1 receives the message and sends it to the corresponding WAN port
- Confirm the environment with the customer and the data flow passes through IAG multiple times
Root cause
Traffic passes through the IAG multiple times, causing the IAG's SSL proxy function to malfunction
solution
- Improve the environment so that data flows only pass through the IAG once
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=6224&isOpen=true