Scheduled Security and Vulnerability Scans Cause Mobile VPN with SSL Client Connection Issues

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

Scheduled vulnerability scans from third‑party security tools can interfere with Mobile VPN with SSL client connections on the Firebox. SSL/TLS cipher enumeration, port probes, and web server scans can disrupt active Mobile VPN with SSL sessions or trigger brief but noticeable connection interruptions. Because these scans temporarily interfere with the SSL/TLS services that support Mobile VPN with SSL, VPN tunnels can drop or fail to negotiate while in the scan window.

Symptoms

When third‑party security scans interrupt Mobile VPN with SSL connections, you might experience these symptoms:

Connection issues occur intermittently but follow a consistent pattern, such as recurring at regular intervals or always at the same time of day.

Diagnostic Steps

To identify whether external scans cause the interruption:

Review Firebox log messages for denied connections, TLS handshake errors, or service interruptions that occur at the same time as scheduled scans.
On the affected computer, temporarily disable security scans and retest.

Possible Causes and Resolutions

Possible Cause	Solution
Third‑party security scans interfere with Firebox SSL/TLS services.	Disable or adjust the security scans. Add exceptions for the Firebox in the third‑party scanning software. Open the third‑party security tool management UI and disable features that inspect or modify Firebox traffic, such as real‑time scanning, network inspection, or SSL/TLS inspection modules. Add the Firebox IP addresses, required ports (TCP 4117, 4105, 4118, 443, 5555, and VPN ports UDP 500 and 4500), and any Firebox host names to the exclusion lists of the scanning software. This prevents the software from blocking, probing, or scanning Mobile VPN with SSL traffic.

Possible Cause

Solution

Third‑party security scans interfere with Firebox SSL/TLS services.

Disable or adjust the security scans. Add exceptions for the Firebox in the third‑party scanning software.

Open the third‑party security tool management UI and disable features that inspect or modify Firebox traffic, such as real‑time scanning, network inspection, or SSL/TLS inspection modules.
Add the Firebox IP addresses, required ports (TCP 4117, 4105, 4118, 443, 5555, and VPN ports UDP 500 and 4500), and any Firebox host names to the exclusion lists of the scanning software.
This prevents the software from blocking, probing, or scanning Mobile VPN with SSL traffic.

Related Log Messages

Firebox log messages generated while performing third‑party vulnerability scans might include entries similar to these:

704078904,"",XXXXXXXXXXXXX,1002,85304972,3,wrapper,"",db,"nginx: YYYY/MM/DD HH:MM:SS [error] 25434$0: *5896595 open() ""/usr/share/web/none/hello.world"" failed (2: No such file or directory), client: 203.0.113.3, server: ",YYYY-MM-DD HH:MM:SS
704078912,"",XXXXXXXXXXXXX,1002,85305420,3,wrapper,"",db,"nginx: YYYY/MM/DD HH:MM:SS [error] 25434$0: *5896595 open() ""/usr/share/web/none/vendor/phpunit/Util/PHP/eval-stdin.php"" failed (2: No such file or directory), client: 203.0.113.3, server: ",YYYY-MM-DD HH:MM:SS
704078910,"",XXXXXXXXXXXXX,1002,85305253,3,wrapper,"",db,"nginx: YYYY/MM/DD HH:MM:SS [error] 25434$0: *5896595 open() ""/usr/share/web/none/vendor/phpunit/src/Util/PHP/eval-stdin.php"" failed (2: No such file or directory), client: 203.0.113.3, server: ",YYYY-MM-DD HH:MM:SS
704078908,"",XXXXXXXXXXXXX,1002,85305141,3,wrapper,"",db,"nginx: YYYY/MM/DD HH:MM:SS [error] 25434$0: *5896595 open() ""/usr/share/web/none/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php"" failed (2: No such file or directory), client: 203.0.113.3, server: ",YYYY-MM-DD HH:MM:SS

Firebox log messages that show SSL/TLS handshake failures while performing vulnerability scans might include entries similar to these:

704079239,"",XXXXXXXXXXXXX,1002,85315056,3,wrapper,"",db,"nginx: YYYY/MM/DD HH:MM:SS [crit] 25434$0: *5896960 SSL_do_handshake() failed (SSL: error:0A00018C:SSL routines::version too low) while SSL handshaking, client: 203.0.113.3, server: 0.0.0.0:4137 ",YYYY-MM-DD HH:MM:SS
704079274,"",XXXXXXXXXXXXX,1002,85315520,3,wrapper,"",db,"nginx: YYYY/MM/DD HH:MM:SS [crit] 25434$0: *5896990 SSL_do_handshake() failed (SSL: error:0A000065:SSL routines::no suitable key share) while SSL handshaking, client: 203.0.113.4, server: 0.0.0.0:4137 ",YYYY-MM-DD HH:MM:SS
704079272,"",XXXXXXXXXXXXX,1002,85315485,3,wrapper,"",db,"nginx: YYYY/MM/DD HH:MM:SS [crit] 25434$0: *5896988 SSL_do_handshake() failed (SSL: error:0A000065:SSL routines::no suitable key share) while SSL handshaking, client: 203.0.113.4, server: 0.0.0.0:4137 ",YYYY-MM-DD HH:MM:SS

Scheduled Security and Vulnerability Scans Cause Mobile VPN with SSL Client Connection Issues

Symptoms

Diagnostic Steps

Possible Causes and Resolutions

Related Log Messages

Related Topics