KB40931 - Cannot establish a secure connection to the URL. Check if this connection requires 'http:' instead of 'https:'. If the problems persists, contact your system administrator. Made https request for GET / HTTP/1.1 to <host>:<port>

Printable View

« Go Back

Information

Last Modified Date	9/12/2017 4:17 AM

Synopsis

This article describes an issue where end user are unable to reach a web page through the rewrite engine with the error message of "Cannot establish a secure connection to the URL. Check if this connection requires 'http:' instead of 'https:'. If the problems persists, contact your system administrator. Made https request for GET / HTTP/1.1 to <host>:<port>".

Problem or Goal

When the end user attempts to reach a web page through the rewrite engine, the following error message will appear:

Cannot establish a secure connection to the URL. Check if this connection requires 'http:' instead of 'https:'. 
If the problems persists, contact your system administrator. Made https request for GET / HTTP/1.1 to <host>:<port>

Cause

This issue occurs due to ssl handshake failed between the Pulse Connect Secure internal port and backend resource.

Solution

To properly understand why the SSL handshake failure has occurred, please enable TCPDump on the Pulse Connect Secure device for the internal port, replicate the issue and download the raw file format.

Using wireshark, open the raw capture and filter for packets for the problematic backend resource (i.e ip.addr==1.2.3.4). From the filter packets, check for the following sequence:

Pulse Connect Secure device sends a Client Hello
Backend resource responds with a Server Hello
Backend resource sends Server Key Exchange
Pulse Connect Secure device sends Client Key Exchange
Pulse Connect Secure and backend resource send encrypted data

In most cases, the ssl handshake failure occurs due no response to the Client Hello. This issue can occur for multiple reasons, but here is a list of commonly known issues:

Protocol and/or cipher suite compatibility issues between Pulse Connect Secure and backend resource. For 8.2R2 / 8.3R1 and greater, outbound ssl options are available to allow the administrator to configure the appropriate protocols and cipher suites to meet their environment needs.
KB40489 - Support for Server Name Indication (SNI) on Pulse Connect Secure device

Related Articles

KB40931 - Cannot establish a secure connection to the URL. Check if this connection requires 'http:' instead of 'https:'. If the problems persists, contact your system administrator. Made https request for GET / HTTP/1.1 to <host>:<port>

Information

Feedback

Was this article helpful?