Jenkins downloads fail from linux host via IPSEC tunnel
search cancel

Jenkins downloads fail from linux host via IPSEC tunnel

book

Article ID: 259041

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Linux Jenkins server fails to download files from remote location.

Curl error reports download error along with message indicated invalid ProxySG intermediate certificate when no SSL inspection is enabled.

Content filtering rules configured to allow requests from the Jenkins source and destination IP addresses.

Cloud SWG reports confirm denied messages for the requests.

Environment

Cloud SWG.

IPSEC tunnel.

No authentication for requests coming from Jenkins Linux server.

SSL bypass for the destination domain.

Cause

Content filtering allow rule for Jenkins server generated requests included 'Content and Limits' entries, which are never accessible when SSL inspection is enabled.

Resolution

Removed 'Content and Limits' entry from the rule that should have allowed all request from the Jenkins server to the destination as shown below:

 

When this happened, the HTTP log entry went from:

2023-02-01 16:14:41 "DP2-GIEDU1_proxysg2" 11 172.30.230.46 - - - - policy_denied PROXIED "Software Downloads" - 0 TCP_ERR_MISS unknown - ssl busruploads.s3.amazonaws.com 443 / - - - 192.168.2.85 0 0 - - - - - - - - 445726 "THW-WSS-FW" firewall_vpn "-" "-" 31.25.2.107 "United States" - none - - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128 *.s3.amazonaws.com "Cloud Infrastructure" TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - "United States" - "Invalid" 3 3 - - - - - - - - - - SSL_Intercept_1 - - - - 2001:0DB8:2efb:8a0f:03a3:005c:73f3:d902 c3f6efab049a0797-000000001abd729f-0000000063da8ff1 - - "Invalid" "Invalid" - - -

to

2023-02-01 16:39:51 "P2-GIEDU1_proxysg2" 840 172.30.230.46 - - - - - OBSERVED "Software Downloads" - 0 TUNNELED unknown - ssl busruploads.s3.amazonaws.com 443 / - - - 192.168.6.86 20839 1005 - - - - - - - - 445722 "KWS-WSS-FW" firewall_vpn "-" "-" 31.25.11.15 "United States" CERT_VALID none - - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128 *.s3.amazonaws.com "Cloud Infrastructure" TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 3.5.11.15 "United States" - "Invalid" 3 3 - - - - - - - - - - - - - - - 2001:0DB8:3dd6:626a:3f87:c476:73f3:d902 0187e0fff3f4ecfc-000000001a6fe202-0000000063da95d6 148.64.27.221 148.64.27.221 "GB" "United Kingdom" - - -

The SSL intercept was only triggered due to the error condition (DENY) - which will exist even if SSL interceptionf or that domain is disabled.

Additional Information

In terms of policy trace, we see that we did not find a matching rule due to the 'content and limit' problem. This led us falling back to the default rule blocking access.

 

        <[email protected] BC_Appropriate_Use> [layer 45] [tenant:147]
  miss:     variable.BC_AU_Request_Decision=!ALLOWED_DEFAULT
          [Rule]
   n/a:     condition=BC_CF_Rule_794545_contentAndLimits_FileTypeList
  miss:     url.domain=//haito133.com/download/
  miss:     condition=BC_CF_Rule_354496_destination_UrlList

Attachments