This article explains about the limitation of user browsing SSL/TSL based websites via SASE client. This article is applicable for Linux, Windows, and MacOS SASE clients.
Problem Description:
Users may experience page unable to load any SSL based websites with SASE Clients. In the client side PCAP, can see TCP re-transmit or no response from server after the client hello.
This problem may seen on following transport:
1. Airtel, Vodafone, Jio 5G mobile hotsport
2. Airtel, or Jio AirFiber
When the user use 4G transport on WiFi hotspot all SSL websites will work as expected.
When the user use 5G transport on WiFi hotspot SSL based websites will not work.
Work Around:
Use the following workaround to restore the SSL connectivity. Which will help to load the SSL based websites from SASE Client via 5G mobile hotspot. You may have to find out the correct MTU by pinging the SASE Gateway IP address with df-bit set.
sudo ip link set dev <interface_name> mtu 1374
MacOS:
sudo ifconfig <interface_name> mtu 1374
#netsh interface ipv4 show subinterfaces
#netsh interface ipv4 set subinterface "interface-name" mtu=1374 store=persistent
Solution:
Solution is available for Windows SASE client v7.8.12
Bug 112289 - [ SSL+INFRA ] : HTTPS transit traffic to VSA GW with 5G hotspot fails.