Hi all, I'm having an issue fetching content from a HTTPS server through my SRX345.
It started with trying to fetch https://mirrors.jenkins.io/debian-stable/jenkins_2.452.2_all.deb. The first part of the process appears to work, the client opens a connection to the https server, which issues a 302 redirect to pkg.jenkins.io. When attempting this redirect, the connection hangs. To see what was going on, I took a pcap from the client. I can see the three-way handshake, followed by a tls client hello, an ack, then what appears to be the second of two packets from server > client, followed by a repeated ack from the server. It looks like the tls server hello packet is going missing.
I've tried this from several subnets attached to the SRX and each time I get the same issue. If I force the connection to use IPv4, it works fine. I've tried other IPv6 hosts on other parts of the Internet and they work OK. The SRX connects to the Internet via a vDSL line connected via PPPoE,
I did do a datapath debug which produced a lot of txt output but not a lot of help. I don't think I saw the server hello packet but I can't bee 100% sure.
I'd like to run a pcap on the PPPoE interface and on the outgoing interface, so I can see if the packet is coming in and if it is going out. That's been causing me some issues. There seems to be different approaches, depending on the model of SRX, firmware in use, day of the week and who's blog you're reading. I have managed to get some pcaps going but not ones that capture transit traffic. It would be something I'd like to work out how to do as it's valuable to future debuging and not just to resolving the TLS issue.
I think therefore, I have two questions for the community:
1) How can one pcap transit traffic on a SRX345?
2) Does anyone have any other insights as to resolving the TLS / IPv6 issue I'm facing?
Kind regards
------------------------------
CLAIRE DAVISON
------------------------------