Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hello Juniper community,
I'm working to resolve an issue where we have two servers behind a pair of active/passive Juniper SRX 4600 firewalls. The problem is when we attempt to access the GUI / webserver on each server, we get a message in the browser saying Cipher Mismatch (Chrome). FireFox and Edge have similar messages. During troubleshooting, I logged into the servers and modified the httpd file on each server. There is a line which lists each TLS option available on the server. Initially the only enabled option was 'all'. I disabled all and enabled all the other TLS options (v3, v2, v1 and v1.1) and restarted the httpd process. This didn't resolve the issue. I re-enabled the 'all' option and then added the disable option to each version explicitly listed in the httpd file. I restarted the httpd process and then we were able to successfully access the webserver on each server. No additional changes were made on the SRX. I don't know how long access lasted because I wasn't actively working in the device GUI but the next day when I wanted to demonstrate what we found to Juniper support, the issue was occurring again. This means that when users attempted to navigate to each server's web GUI (https/443), the users would see the Cipher Mismatch message. I made the same changes again on each server and we were then able to access each server's web GUI. The following day I checked GUI access again and it had stopped working.
We do not have UTM enabled on the Juniper SRX platform. The same Juniper config is in place when access works and when access does not work. I don't have anything definitive or vague which points at the Juniper SRX platform but I don't know if we're dealing with a bug or if there is something possibly going on with the SRX that is acting on the transit HTTPS traffic. The problem is the server httpd file looks the same when the traffic works as when the traffic fails. That means that all TLS versions (3, 2, 1.1 and 1) are all disabled and the 'all' option is enabled. The only thing we're doing to create the access which has worked is cycle through the various TLS options, restart httpd, re-enable all (back to where we started from) and restart httpd. Then everything works. I don't know where else to look on the Juniper at this point. . . or the servers for that matter. Any suggestions would be greatly appreciated.