SSL-VPN users can't connect from an Apple AirPort Extreme router

03/26/2020 15 13941

DESCRIPTION:

While using a 6.2.x firmware version on your SonicWall Appliance, your SSL-VPN users are reporting that they can't connect using Mobile Connect or NetExtender when sitting behind an Apple AirPort Extreme device. From the same machine, the SSL-VPN users can connect just fine from a different location, not behind this AirPort Extreme.

The issue occurs on Windows, Linux, iOS and Android Operating Systems.

CAUSE:

The issue starts at the TCP three-way handshake for the SSL connection with the Apple Airport.

Sometimes the Apple AirPort will drop the third ACK packet from the client behind it or it will merge this packet into the next SSL Client Hello. 

In the firewall side, when it receives a TCP SYN packet and then answer with a SYN/ACK, it will hope for an ACK to complete the TCP three-way handshake. However, sometimes it only gets an SSL Client Hello. Theoretically, the TCP three-way handshake can be finished by treating this packet as third ACK + data. Octean Firewalls can handle this situation, however, New Generation firewalls don't.

RESOLUTION:

The solution for our SSL-VPN connections to work behind an Apple AirPort Device is to disable TCP_DISABLE_DACK option to support incomplete TCP three-way handshake like this.

There is 100ms latency for the first TCP data packet from a client when encountering an incomplete TCP three-way handshake. TCP_DISABLE_DACK option only affects the TCP three-way handshake but not the TCP traffic. It’s a different concept with the TCP NEGAL algorithm. Therefore, there are no security concerns to be worried off, nor side effects with this resolution.

Should you face this issue, you can contact our Technical Support Team about DTS 167361 and request a Hotfix for your Appliances running 6.2.2.2-19n or 6.2.4.3-31n.

The fix is included in the SonicOS release 6.2.5.0-15n and higher.