Very weird issue with a clients ONE NZ Fibre connection with Certificates

Forums › One New Zealand (including Vodafone, WxC, Farmside) › Very weird issue with a clients ONE NZ Fibre connection with Certificates

mobiusnz

454 posts

Ultimate Geek

#317843 20-Nov-2024 17:06

I have a client on One NZ making (or attempting to) an SSTP vpn connection to work. Everyone else in the firm can connect fine (currently 12 people connected).

When he attempts to connect he gets the error "The token supplied to the function is invalid"

I then went to the https://company.nz URL (example URL not the real one) and it gives an ERR_SSL_PROTOCOL_ERROR - If we click reload/refresh a few times it'll often get there and the certificate is then fine - Still can't connect to the VPN.

It gets stranger - I setup an SSTP connection to another site (My office) and it connected fine. I left the use default gateway on remote network on and then when connected to my VPN he can then make an SSTP vpn connection to his office via my VPN.

I suggested rebooting his internet router which he did when he got back (I was working remotely on his PC) and now he can't connect to his company VPN AND he gets the same error connecting to mine now??

I also got an SSL Protocol error connecting to speedtest.net so its like something a little weird is going on with his connection.

The other strange thing is that initially his IP was one that an IP Lookup reported was a Voyager address on the 114.X.X.X subnet. I spoke to him and he said he's on One NZ and after a router reboot he's now getting 47.72.X.X which is Vodafone.

He has a TPLink Deco setup (from One NZ) that is connected to the Vodafone router at present rather than being the router but he connected directly to the Vodafone routers wifi and the issue was the same so its not the Deco setup upsetting things.

I'm scratching my head big time on this as it makes VERY little sense at all.

Anyone know of anything odd going on with the OneNZ network at present??

Matt Beechey Mobius Network Solutions

1 | 2

187 posts

Master Geek

ID Verified

#3311080 20-Nov-2024 18:04

Really dumb question and could be way off here, but is the system time correct on the PC?

mobiusnz

454 posts

Ultimate Geek

#3311094 20-Nov-2024 18:30

liquidcore: Really dumb question and could be way off here, but is the system time correct on the PC?

not dumb at all but i checked the time and Timezone right away. Had a pc that wouldn’t join azure Ad for a 365 account recently that had a the right time but the Timezone was out an hour recently. Took me far too long to find but weirdly all other secure websites etc were free of symptoms.

Matt Beechey Mobius Network Solutions

freitasm

BDFL - Memuneh
79158 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3311152 20-Nov-2024 19:22

Have you tested with a different computer? Or a phone?

yitz

2055 posts

Uber Geek

#3311156 20-Nov-2024 19:40

Could it be just bouncing between two Wi-Fi connections depending on signal strength?

mobiusnz

454 posts

Ultimate Geek

#3311165 20-Nov-2024 20:30

freitasm: Have you tested with a different computer? Or a phone?

I haven’t but the computer was working a few days ago and it’s a pretty clean build. If I was onsite with him I’d have tested on my hotspot. I going to see if it comes right as my experience is that Vodafone have odd network quirks from time to time or ill get him to take a laptop home to try I know is working otherwise I’ll have to get off my chuff and go for a drive.

Matt Beechey Mobius Network Solutions

mobiusnz

454 posts

Ultimate Geek

#3311167 20-Nov-2024 20:31

yitz:

Could it be just bouncing between two Wi-Fi connections depending on signal strength?

it was staying on one wifi consistently.

Matt Beechey Mobius Network Solutions

freitasm

BDFL - Memuneh
79158 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3311168 20-Nov-2024 20:32

Test with a different computer and network.

Mighty Ape

Shop now on Mighty Ape (affiliate link).

mobiusnz

454 posts

Ultimate Geek

#3311249 21-Nov-2024 08:56

freitasm: Test with a different computer and network.

If it hasn't come right on its own overnight that'll be next - The fact it could SSTP to one location but not to another and then after the next router reboot it couldn't SSTP to either was a little odd and to me leans my thinking toward Network issues but it could be something in the PC's certificate handling.

Matt Beechey Mobius Network Solutions

michaelmurfy

meow
13218 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3311253 21-Nov-2024 09:00

mobiusnz: The other strange thing is that initially his IP was one that an IP Lookup reported was a Voyager address on the 114.X.X.X subnet. I spoke to him and he said he's on One NZ and after a router reboot he's now getting 47.72.X.X which is Vodafone.

Check the A record (dig a example.com) to confirm there isn't more than 1 A record on the domain.

But also, Antivirus? I know some security products mess with the connection and it could be something at play here (AV software doing a MITM).

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

r0bbie

242 posts

Master Geek

#3311255 21-Nov-2024 09:03

mobiusnz:

I have a client on One NZ making (or attempting to) an SSTP vpn connection to work. Everyone else in the firm can connect fine (currently 12 people connected).

When he attempts to connect he gets the error "The token supplied to the function is invalid"

I then went to the https://company.nz URL (example URL not the real one) and it gives an ERR_SSL_PROTOCOL_ERROR - If we click reload/refresh a few times it'll often get there and the certificate is then fine - Still can't connect to the VPN.

It gets stranger - I setup an SSTP connection to another site (My office) and it connected fine. I left the use default gateway on remote network on and then when connected to my VPN he can then make an SSTP vpn connection to his office via my VPN.

I suggested rebooting his internet router which he did when he got back (I was working remotely on his PC) and now he can't connect to his company VPN AND he gets the same error connecting to mine now??

I also got an SSL Protocol error connecting to speedtest.net so its like something a little weird is going on with his connection.

The other strange thing is that initially his IP was one that an IP Lookup reported was a Voyager address on the 114.X.X.X subnet. I spoke to him and he said he's on One NZ and after a router reboot he's now getting 47.72.X.X which is Vodafone.

He has a TPLink Deco setup (from One NZ) that is connected to the Vodafone router at present rather than being the router but he connected directly to the Vodafone routers wifi and the issue was the same so its not the Deco setup upsetting things.

I'm scratching my head big time on this as it makes VERY little sense at all.

Anyone know of anything odd going on with the OneNZ network at present??

Chrome has changed some encryption, is the firewall doing deep ssl inspection?

This article is for fortigate but it talks about the ML-KEM post-quantum TLS key exchange that has changed

https://community.fortinet.com/t5/FortiGate/Technical-Tip-ERR-SSL-PROTOCOL-ERROR-when-using-Flow-based-Deep/ta-p/357555

mobiusnz

454 posts

Ultimate Geek

#3311258 21-Nov-2024 09:07

michaelmurfy:

mobiusnz: The other strange thing is that initially his IP was one that an IP Lookup reported was a Voyager address on the 114.X.X.X subnet. I spoke to him and he said he's on One NZ and after a router reboot he's now getting 47.72.X.X which is Vodafone.

Check the A record (dig a example.com) to confirm there isn't more than 1 A record on the domain.

But also, Antivirus? I know some security products mess with the connection and it could be something at play here (AV software doing a MITM).

Only Windows defender and I maintain the DNS records (I just checked to be sure I hadn't ballsed something up with other changes) - I did wonder if it was the new Fortinet at the work end which will be replacing the Microsoft SSTP if that might have been doing something funny but then it stopped working to my Server too. Its a very weird issue. Over the years I've had a client who couldn't access one supplier pricing site via Vodafone but could VPN to my network and access it fine - It was something to do with their caching would present the same data every visit. I've had a customer who got a smart interactive Treadmill years back that couldn't watch any of the online programs from her treadmill on their work Vodafone connection - Ditched their Static IP and it started working. I've seen a few odd "faults" over the years with Vodafone that I'm leaning that way again now too so next step is trying it on a hotspot but that changes Wifi, Router AND provider all at once so its not the be all and end all.

Matt Beechey Mobius Network Solutions

mobiusnz

454 posts

Ultimate Geek

#3311259 21-Nov-2024 09:09

r0bbie:

Chrome has changed some encryption, is the firewall doing deep ssl inspection?

This article is for fortigate but it talks about the ML-KEM post-quantum TLS key exchange that has changed

https://community.fortinet.com/t5/FortiGate/Technical-Tip-ERR-SSL-PROTOCOL-ERROR-when-using-Flow-based-Deep/ta-p/357555

Interesting - He only has the default issues Vodafone router and the Deco gear - There is a fortigate just installed at the work end but as above - It stopped working doing SSTP to my network and I don't have a Fortigate.
Unless its Vodafone doing something funny on their network in between? Time will tell.

Matt Beechey Mobius Network Solutions

mobiusnz

454 posts

Ultimate Geek

#3311527 21-Nov-2024 18:10

Well - He was back attempting to work from home again today.

He cannot connect to the Work SSTP server at all but can connect to mine again and then his work via mine - Both SSTP on Microsoft Server RRAS.

I talked him through connecting to his phones hotspot (Iphone) and then he can connect to the work SSTP VPN first time every time.

To me that leaves Vodafone network issue - The work connections is a One NZ Static IP too (I'm not) or Router issue. Its a stock standard Vodafone Hub - Still got the default config, default WIFI passwords and login details so it hasn't been tampered with - Pretty specific issue to be a router fault. As I see it that only leaves a Vodafone issue?

Matt Beechey Mobius Network Solutions

mobiusnz

454 posts

Ultimate Geek

#3337021 29-Jan-2025 16:43

The plot thickens. I Spoke to the person involved and he said last time he tried (he doesn't WFH often) it worked.

I asked this because today I had it with another user. I was at the users home to tweak their routers LAN subnet as it was the same as the office - It worked for her needs but she couldn't print to the home printer while connected to the VPN.

I changed the subnet in the router to 192.168.10.X and restarted the router and suddenly she was getting exactly same error. The same thing that if she connected to my SSTP vpn and then connected to work over that it was fine but couldn't connect directly.

If you entered https://mail.company.nz into a browser it would give an SSL error - If you then went via the two hop VPN and then disconnected doing the https://mail.company.nz worked with the exepected result of a connection but a 404 error but you could confirm the SSL Certificate for the SSTP server was good.

The only other commonality was they both have Netgear Orbi devices - The client I was with today has always had it - They actually have the Orbi doing the connection to the ISP on fibre and then a TPLink Link AX6000 router sitting behind it doing the wifi - Why an Orbi isn't doing the wifi you need so you add a TPLink I don't know. I tried to take the orbi out but at first glance the TPLink didn't offer VLAN on the Wan connection. I am going to check this and see if there is a workaround but I know in the past some TPLink devices haven't done it.

So A) I'm picking at some point this will also start working again. B) I have no idea whats stopping it?? They have a Fortinet at the office that is currently redirecting SSL to the SSTP server, later this will take over VPN responsibility once 2FA is implemented. I couldn't find anything to indicate the Fortinet had seen something suspicious and blocked the IP which might mean when the client gets a new Dynamic IP from the provider it starts working again??

I've asked User one to go home tonight and try it just to confirm he's now back to running normally. In the interim user 2 is making 2 VPN connections to get into work.

Matt Beechey Mobius Network Solutions

DjShadow

4074 posts

Uber Geek

ID Verified

Trusted

#3337045 29-Jan-2025 18:00

Is there any issue with the SSL Cert itself? I do remember troubleshooting an issue with FortiClient last year where it was throwing an error with some websites and discovered if there was anything wrong with the cert (even just being expired) it would throw it’s toys

1 | 2