Issue

A TLS connection may fail when going over an Off-Cloud or Alt-WAN link between two sites behind Cato Sockets. 

Environment

• TLS connection between two Cato sites.
• TLS Inspection is Enabled
• The network rule that the traffic hits is below a complex rule (more information below)

Troubleshooting

• TCP Proxy will be enforced when a complex network rule exists above the simple Off-Cloud or Alt-WAN network rule as explained in Working with Complex Network Rules
• Below is an example of a scenario where a simple off-cloud rule is placed below a complex rule. The rule is complex because it contains a defined Application.

• In this scenario, the Socket can’t evaluate the network rule on the SYN packet and sends it to the PoP. The TCP proxy completes the TCP handshake on the client side (Site B) only as shown in the graph below

• The SYN packet is sent over the tunnel to the server side (Site A). The Socket switches to the Off Cloud transport immediately and sends the SYN ACK over Off Cloud.

• The network profile is decided on the Site B Socket and it switches to the Off Cloud transport. The Client Hello is sent over Off Cloud.

• The Client Hello arrives at the server, but the server hasn’t even completed the TCP handshake with the client. The Client Hello is discarded while the server retransmits the SYN ACK. The client has already completed the TCP handshake with the PoP and drops the SYN ACK.

• The above behavior can be seen from the server side by running a packet capture. See How to Capture Traffic on a Socket

Solution

The solution is to move the simple Off-Cloud or Alt-WAN rule above any complex rules. When doing this, the sockets are able to evaluate the network rule and route packets over Off Cloud or Alt-WAN immediately.

The PoP and the TCP proxy are eliminated from the path in both directions. Packets are sent directly between both Sockets.