Overview
When the users are trying to access specific website URLs, they receive an empty response code in the browser.
The page couldn't be loaded even with IPS, HTTPS encryption and Packet inspector deactivated.
This article provides explanations on possible reasons for this issue.
Information
Debug logs with Connection tracking and HTTPS/TLS options show the following output:
[22/Dec/2020 10:06:13] {ctrack} [ID] 84943 [Rule] Internet access (NAT) [Connection] TCP 10.10.20.11:49792 -> x.x.x.x:443
[22/Dec/2020 10:06:13] {ctrack} [ 84943 ] Assigning track to host 10.10.20.11 (host address 10.10.20.11, remote address x.x.x.x)
[22/Dec/2020 10:06:13] {ctrack} [ID] 84943 excluded from inspection. HTTPS is disabled.
[22/Dec/2020 10:06:13] {tls} [84943] 10.10.20.11:49792 => x.x.x.x:443 (523 bytes)
[22/Dec/2020 10:06:13] {tls} [ 84943 ] Order correct 10.10.20.11:49792 => x.x.x.x:443 (523 bytes)
[22/Dec/2020 10:06:13] {tls} [84943] URL recognition initiated.
[22/Dec/2020 10:06:13] {tls} [84943] Expecting ClientHello. Received plaintext message: type:22, size:518, version:3.1
[22/Dec/2020 10:06:13] {tls} [84943] Received handshake message: type:1, size:514
[22/Dec/2020 10:06:13] {tls} [84943] SNI Host: website_url.com
[22/Dec/2020 10:06:13] {tls} [84943] SNI Host(s) found in Client-Hello: website_url.com
[22/Dec/2020 10:06:13] {tls} [84943] Start waiting for application data from server
[22/Dec/2020 10:06:13] {tls} [84943] Expected direction changed.
[22/Dec/2020 10:06:13] {tls} [84943] Content rules checked, 1st pass Kerio Control Web Filter categorization needed.
[22/Dec/2020 10:06:13] {ctrack} [ 84943 ] Freeze
[22/Dec/2020 10:06:13] {tls} [84943] Content rules checked, 1st pass Application detection needed.
[22/Dec/2020 10:06:13] {tls} packet (len = 575), enqueued to track 84943
[22/Dec/2020 10:06:14] {tls} packet (len = 575), enqueued to track 84943
[22/Dec/2020 10:06:14] {ctrack} [ 84943 ] Unfreeze
[22/Dec/2020 10:06:14] {ctrack} [ 84943 ] track closed (30)
An empty response can be returned because of:
- local browser cache issues
- local network settings corruption
- GeoIP block for certain countries
If the browser cache was already cleared and the network adapters' settings were reset, the connection is probably blocked by the website's GeoIP restrictions. To verify this theory, try to access a website through a VPN connection from various countries (USA, Germany, UK, etc). You can use free VPN software such as HolaVPN, TunnelBear, etc.
Important: Peer-to-peer content rule should be unchecked to allow external VPN services. Review Filter logs to see the dropped website connections.