• SonicOS 7
• About DPI-SSL
  • Using DPI-SSL
    • Supported Features
    • Support for Local CRL
    • TLS Certificate Status Request Extension
    • Blocking of SSH X11 Forwarding
    • Support for ECDSA-Related Ciphers
    • DPI-SSL and CFS HTTPS Content Filtering Work Independently
    • Original Port Numbers Retained in Decrypted Packets
    • Security Services
  • Deployment Scenarios
  • Proxy Deployment
  • Customizing DPI-SSL
  • Connections per Appliance Model
• Configuring the DPI-SSL/TLS Client
  • Decryption Services > DPI-SSL/TLS Client
  • Viewing DPI-SSL Status
  • Deploying the DPI-SSL/TLS Client
    • Configuring General Settings
      • Enabling SSL Client Inspection
      • Enabling DPI-SSL Client on a Zone
      • Enabling DPI-SSL Server on a Zone
    • Selecting the Re-Signing Certificate Authority
      • Adding Trust to the Browser
    • Configuring Exclusions and Inclusions
      • Excluding/Including Objects/Groups
      • Excluding/Including by Common Name
        • Viewing Status of DPI SSL Default Exclusions
        • Excluding/Including Common Names
        • Deleting Custom Common Names
        • Showing Connection Failures
        • Updating Default Exclusions Manually
      • Specifying CFS Category-based Exclusions/Inclusions
      • Client DPI-SSL Examples
        • Content Filtering
        • App Rules
• Configuring DPI-SSL/TLS Server Settings
  • Decryption Services > DPI-SSL/TLS Server
  • About DPI-SSL/TLS Server Settings
    • Configuring General DPI-SSL/TLS Server Settings
    • Configuring Exclusions and Inclusions
    • Configuring Server-to-Certificate Pairings
• SonicWall Support
  • About This Document

Showing Connection Failures

SonicOS keeps a list of recent DPI-SSL client-related connection failures. This is a powerful feature that:

• Lists DPI-SSL failed connections.
• Allows you to audit the failed connections.
• Provide a mechanism to automatically exclude some failing domains.

The dialog displays the run-time connection failures. The connection failures could be any of the following reasons:

• Failure to handshake with the Client
• Failure to handshake with the Server
• Failed to validate the domain name in the Client Hello
• Failure to authenticate the server (the server certificate issuer is not trusted)

The failure list is only available at run-time. The number logged for each failure is limited to ensure a single failure type does not overrun the entire buffer.

To use the connection failure list

1. Click Show Connection Failures. The Connection Failure List dialog displays.

   

   Each entry in this lists displays the:

   • Client Address
   • Server Address
   • Common Name – The common name of the failed connection’s domain. You can edit this entry inline before adding it to the automatic exclusion list.
   • Error Message – Provides contextual information associated with the connection that enables you to make appropriate choices about excluding this connection.

2. To add an entry to the exclusion list:

   1. Select the entry.

   2. Make any edits to the entry.

   3. Click Exclude.

3. To delete an entry:

   1. Select it.

   2. Click Clear.

4. To delete all entries, click Clear All.
5. When you have finished, click Close.