Windows 10 browsing issues

Reply
Highlighted
L1 Bithead

Windows 10 browsing issues

We have a continuing issue with Windows 10 machines browsing SSL sites that are decrypted.  We've had a ticket open for a couple weeks with no solution.  It is intermittent and random, we cannot create the issue at will.  Tech Support has verified Decryption Policy and Profiles are correct.  You can see it happening in the Traffic Logs.  The user will be browsing using the Rule for their browsing category.  You can see their User-ID, then the next minute the Rule will change to a different one and the User-ID disappears from the log.  About 10 minutes later, boom, it reappears and starts working again.  I don't want to turn off Decryption, but this is going to make me lose my job!  Any community ideas?


Accepted Solutions
Highlighted
L1 Bithead

Support had me deactivate Agentless User-ID and install and configure Agent-ID software on several servers.  This has been running for about a week, and so far, no one has reported the browsing issues that were plauging us. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@kmullen,

I think your trying to correlate two items that don't appear to be connected. Could you share the logs so that we can actually look at those?

Depending on your security policy it would make sense that if you dropped user-id you would move to a different rule. The fact that you can't replicate it and it happens randomly kinda sounds more like your users are having their user-ids age-out and your policy switches them to another rule that may/not actually have the same decryption policies applied to it. 

I would be highly suspicious that SSL decryption has anything to do with user-id disappering. 

Highlighted
L1 Bithead

Thnaks for responding.  I had support look and I was able to get them to agree that USER-ID was not working right.  I have attached logs for user c07783.  You can see at time 7/12/2017 11:51 she loses her User-ID.  Later it comes back.  During the transition any website she was on dies.

 

17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.5223.203.225.223.203.225.2Rule 46  web-browsingvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########1424811537288063414800x40001ctcpallow105512877396739151########2news03.46E+080x010.0.0.0-10.255.255.25507972tcp-fin0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.52192.243.232.36192.243.232.36Rule 46  web-browsingvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########697631538768010144800x40001atcpallow246198514769########0computer-and-internet-info03.46E+080x010.0.0.0-10.255.255.255063tcp-rst-from-client0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.52192.243.232.36192.243.232.36Rule 46  web-browsingvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########121853153877802421800x40001atcpallow231294213709########0computer-and-internet-info03.46E+080x010.0.0.0-10.255.255.255063tcp-rst-from-client0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.52156.154.202.36156.154.202.36Rule 46  web-browsingvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########1147001538458032299800x40001ctcpallow13856996869########0web-advertisements03.46E+080x010.0.0.0-10.255.255.255045tcp-fin0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.5223.203.225.223.203.225.2Rule 46  web-browsingvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########36256153734804592800x40001ctcpallow4132041473717362########1news03.46E+080x010.0.0.0-10.255.255.25503230tcp-fin0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.5213.64.113.15813.64.113.158Rule 46  sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########58413153766443132024430x40001ctcpallow102542694756023########0SSL Problem Sites03.46E+080x010.0.0.0-10.255.255.25501310tcp-fin0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.5213.64.113.15813.64.113.158Rule 46  sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########40561153759443585024430x40001ctcpallow102702694757623########0SSL Problem Sites03.46E+080x010.0.0.0-10.255.255.25501310tcp-fin0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.5240.118.160.21040.118.160.210ATY Technologymis1\c07783sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########171214153709443381164430x140001ctcpallow51621140402215########24internet-portals03.46E+080x010.0.0.0-10.255.255.255096tcp-fin0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.5223.203.225.2123.203.225.21ATY Technologymis1\c07783sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########986415369644399824430x140001ctcpallow54051030437520########20internet-portals03.46E+080x010.0.0.0-10.255.255.2550812tcp-fin0000 from-policy
17/12/2017 11:511801046497TRAFFICend17/12/2017 11:5110.30.106.5223.213.151.21323.213.151.213ATY Technologymis1\c07783sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########18865215370144360344430x40001atcpallow68881125576323########14business-and-economy03.46E+080x010.0.0.0-10.255.255.25501310tcp-rst-from-client0000 from-policy
17/12/2017 11:501801046497TRAFFICend17/12/2017 11:5010.30.106.52131.253.61.98131.253.61.98ATY Technologymis1\c07783sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########60631153706443367084430x40001ctcpallow122725094717822########1SSL Problem Sites03.46E+080x010.0.0.0-10.255.255.2550139tcp-fin0000 from-policy
17/12/2017 11:501801046497TRAFFICend17/12/2017 11:5010.30.106.52131.253.61.98131.253.61.98ATY Technologymis1\c07783sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########11731915370544389854430x40001ctcpallow131475953719421########0SSL Problem Sites03.46E+080x010.0.0.0-10.255.255.2550129tcp-fin0000 from-policy
17/12/2017 11:501801046497TRAFFICend17/12/2017 11:5010.30.106.52168.61.170.80168.61.170.80ATY Technologymis1\c07783sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########224602153665443385944430x40001btcpallow84201540688017########119SSL Problem Sites03.46E+080x010.0.0.0-10.255.255.255089tcp-rst-from-server0000 from-policy
17/12/2017 11:401801046497TRAFFICend17/12/2017 11:4010.30.106.52192.150.19.174192.150.19.174ATY Technologymis1\c07783sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########25563815365644392374430x40001ctcpallow2255980127517########0computer-and-internet-info03.46E+080x010.0.0.0-10.255.255.2550710tcp-fin0000 from-policy
17/12/2017 11:401801046497TRAFFICend17/12/2017 11:4010.30.106.52192.150.19.174192.150.19.174ATY Technologymis1\c07783sslvsys1INSIDEOUTSIDEethernet1/2ethernet1/1########2390815365544318764430x40001ctcpallow2123908121516########0computer-and-internet-info03.46E+080x010.0.0.0-10.255.255.255079tcp-fin0000 from-policy
Highlighted
L1 Bithead

Support had me deactivate Agentless User-ID and install and configure Agent-ID software on several servers.  This has been running for about a week, and so far, no one has reported the browsing issues that were plauging us. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!