- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-12-2017 09:40 AM
We have a continuing issue with Windows 10 machines browsing SSL sites that are decrypted. We've had a ticket open for a couple weeks with no solution. It is intermittent and random, we cannot create the issue at will. Tech Support has verified Decryption Policy and Profiles are correct. You can see it happening in the Traffic Logs. The user will be browsing using the Rule for their browsing category. You can see their User-ID, then the next minute the Rule will change to a different one and the User-ID disappears from the log. About 10 minutes later, boom, it reappears and starts working again. I don't want to turn off Decryption, but this is going to make me lose my job! Any community ideas?
07-20-2017 08:18 AM
Support had me deactivate Agentless User-ID and install and configure Agent-ID software on several servers. This has been running for about a week, and so far, no one has reported the browsing issues that were plauging us.
07-12-2017 10:23 AM
I think your trying to correlate two items that don't appear to be connected. Could you share the logs so that we can actually look at those?
Depending on your security policy it would make sense that if you dropped user-id you would move to a different rule. The fact that you can't replicate it and it happens randomly kinda sounds more like your users are having their user-ids age-out and your policy switches them to another rule that may/not actually have the same decryption policies applied to it.
I would be highly suspicious that SSL decryption has anything to do with user-id disappering.
07-12-2017 02:30 PM
Thnaks for responding. I had support look and I was able to get them to agree that USER-ID was not working right. I have attached logs for user c07783. You can see at time 7/12/2017 11:51 she loses her User-ID. Later it comes back. During the transition any website she was on dies.
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 23.203.225.2 | 23.203.225.2 | Rule 46 | web-browsing | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 142481 | 1 | 53728 | 80 | 63414 | 80 | 0x40001c | tcp | allow | 105512 | 8773 | 96739 | 151 | ######## | 2 | news | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 79 | 72 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | |||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 192.243.232.36 | 192.243.232.36 | Rule 46 | web-browsing | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 69763 | 1 | 53876 | 80 | 10144 | 80 | 0x40001a | tcp | allow | 2461 | 985 | 1476 | 9 | ######## | 0 | computer-and-internet-info | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 6 | 3 | tcp-rst-from-client | 0 | 0 | 0 | 0 | from-policy | |||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 192.243.232.36 | 192.243.232.36 | Rule 46 | web-browsing | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 121853 | 1 | 53877 | 80 | 2421 | 80 | 0x40001a | tcp | allow | 2312 | 942 | 1370 | 9 | ######## | 0 | computer-and-internet-info | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 6 | 3 | tcp-rst-from-client | 0 | 0 | 0 | 0 | from-policy | |||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 156.154.202.36 | 156.154.202.36 | Rule 46 | web-browsing | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 114700 | 1 | 53845 | 80 | 32299 | 80 | 0x40001c | tcp | allow | 1385 | 699 | 686 | 9 | ######## | 0 | web-advertisements | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 4 | 5 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | |||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 23.203.225.2 | 23.203.225.2 | Rule 46 | web-browsing | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 36256 | 1 | 53734 | 80 | 4592 | 80 | 0x40001c | tcp | allow | 41320 | 4147 | 37173 | 62 | ######## | 1 | news | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 32 | 30 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | |||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 13.64.113.158 | 13.64.113.158 | Rule 46 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 58413 | 1 | 53766 | 443 | 13202 | 443 | 0x40001c | tcp | allow | 10254 | 2694 | 7560 | 23 | ######## | 0 | SSL Problem Sites | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 13 | 10 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | |||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 13.64.113.158 | 13.64.113.158 | Rule 46 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 40561 | 1 | 53759 | 443 | 58502 | 443 | 0x40001c | tcp | allow | 10270 | 2694 | 7576 | 23 | ######## | 0 | SSL Problem Sites | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 13 | 10 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | |||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 40.118.160.210 | 40.118.160.210 | ATY Technology | mis1\c07783 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 171214 | 1 | 53709 | 443 | 38116 | 443 | 0x140001c | tcp | allow | 5162 | 1140 | 4022 | 15 | ######## | 24 | internet-portals | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 9 | 6 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | ||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 23.203.225.21 | 23.203.225.21 | ATY Technology | mis1\c07783 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 9864 | 1 | 53696 | 443 | 9982 | 443 | 0x140001c | tcp | allow | 5405 | 1030 | 4375 | 20 | ######## | 20 | internet-portals | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 8 | 12 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | ||
1 | 7/12/2017 11:51 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:51 | 10.30.106.52 | 23.213.151.213 | 23.213.151.213 | ATY Technology | mis1\c07783 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 188652 | 1 | 53701 | 443 | 6034 | 443 | 0x40001a | tcp | allow | 6888 | 1125 | 5763 | 23 | ######## | 14 | business-and-economy | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 13 | 10 | tcp-rst-from-client | 0 | 0 | 0 | 0 | from-policy | ||
1 | 7/12/2017 11:50 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:50 | 10.30.106.52 | 131.253.61.98 | 131.253.61.98 | ATY Technology | mis1\c07783 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 60631 | 1 | 53706 | 443 | 36708 | 443 | 0x40001c | tcp | allow | 12272 | 5094 | 7178 | 22 | ######## | 1 | SSL Problem Sites | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 13 | 9 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | ||
1 | 7/12/2017 11:50 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:50 | 10.30.106.52 | 131.253.61.98 | 131.253.61.98 | ATY Technology | mis1\c07783 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 117319 | 1 | 53705 | 443 | 8985 | 443 | 0x40001c | tcp | allow | 13147 | 5953 | 7194 | 21 | ######## | 0 | SSL Problem Sites | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 12 | 9 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | ||
1 | 7/12/2017 11:50 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:50 | 10.30.106.52 | 168.61.170.80 | 168.61.170.80 | ATY Technology | mis1\c07783 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 224602 | 1 | 53665 | 443 | 38594 | 443 | 0x40001b | tcp | allow | 8420 | 1540 | 6880 | 17 | ######## | 119 | SSL Problem Sites | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 8 | 9 | tcp-rst-from-server | 0 | 0 | 0 | 0 | from-policy | ||
1 | 7/12/2017 11:40 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:40 | 10.30.106.52 | 192.150.19.174 | 192.150.19.174 | ATY Technology | mis1\c07783 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 255638 | 1 | 53656 | 443 | 9237 | 443 | 0x40001c | tcp | allow | 2255 | 980 | 1275 | 17 | ######## | 0 | computer-and-internet-info | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 7 | 10 | tcp-fin | 0 | 0 | 0 | 0 | from-policy | ||
1 | 7/12/2017 11:40 | 1801046497 | TRAFFIC | end | 1 | 7/12/2017 11:40 | 10.30.106.52 | 192.150.19.174 | 192.150.19.174 | ATY Technology | mis1\c07783 | ssl | vsys1 | INSIDE | OUTSIDE | ethernet1/2 | ethernet1/1 | ######## | 23908 | 1 | 53655 | 443 | 1876 | 443 | 0x40001c | tcp | allow | 2123 | 908 | 1215 | 16 | ######## | 0 | computer-and-internet-info | 0 | 3.46E+08 | 0x0 | 10.0.0.0-10.255.255.255 | 0 | 7 | 9 | tcp-fin | 0 | 0 | 0 | 0 | from-policy |
07-20-2017 08:18 AM
Support had me deactivate Agentless User-ID and install and configure Agent-ID software on several servers. This has been running for about a week, and so far, no one has reported the browsing issues that were plauging us.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!