In the last two weeks we have received many support requests because of non-functioning SSL connections from our Fortinet, Palo Alto Networks and Watchguard customers. Incoming SSL connections on port tcp/443 suddenly stop working. These can be SSLVPNs, Global Protect connections, port forwardings (VIPs, Destination NAT) for internal web servers and others.
It turns out, that all these customers are using a “Swisscom Business” internet connection with a “Centro Business 2.0” router. And it seems that some updates are currently being installed on these routers, which also includes an activation of the integrated firewall on the router (Profile Balanced re-activated on DMZ port). These firewall rules prevent the incoming SSL requests from being forwarded to any firewall products behind it.
So if you are experiencing the same behaviour in your environment, please check the Swisscom router configuration for any activated firewall features. We would also love to hear from you in the comments section below if you are experiencing the same problem.
Important note: If you are working on your Swisscom Router to fix this issue, please make sure that the IPSec feature is set up correctly on your Swisscom Router. This may also cause problem in future if it is enabled but not in use. We have documented this behaviour in this blog post.