A user may encounter an ERR_CONNECTION_TIMED_OUT error when trying to access a specific website through Kerio Control. The issue was seen to happen, for example, on government websites. This issue is isolated to Kerio Control as the website loads correctly when accessed through a different gateway.
Upon log review, the problem is identified to be related to the 3-way TCP handshake process within Kerio Control. Disabling the 3-way handshake allows the website to load, but this is not a preferred solution as it only affects this specific website and could lead to security risks.
To resolve this issue, follow these steps:
- Log in to the Kerio Control Administration interface.
- Create a new service on port 443, without inspection, so make sure to select:
- Protocol: TCP
- Protocol inspector: None
- Source port: Any
- Destination port: Equal to 443
- Create a rule from anywhere to the destination addresses of the problematic website (e.g., sso.acesso.gov.br, fazenda.gov.br, gov.br), using the service that you created and ensure that there is no inspector in the rule either:
This solution allows you to bypass the 3-way TCP handshake process for the specific website without disabling it globally, which could lead to security risks.
By creating a new service on port 443 without inspection and a rule from anywhere to destination addresses, using the service created, and no inspector in the rule, you can resolve the ERR_CONNECTION_TIMED_OUT error when accessing a specific website through Kerio Control.
What is the 3-way TCP handshake process?
The 3-way TCP handshake process is a method used in a TCP/IP network to create a connection between a local host/client and server. It is a three-step method that requires both the client and server to exchange SYN and ACK (acknowledgement) packets before actual data communication begins.
Why should I not disable the 3-way TCP handshake globally?
Disabling the 3-way TCP handshake globally can lead to security risks as it is a crucial part of the TCP/IP protocol that ensures a secure connection between the client and server.
What does 'no inspector in the rule' mean?
'No inspector in the rule' means that the traffic passing through the rule will not be inspected by any of the Kerio Control's security features, allowing it to pass through without any checks.