What to expect to see in capture file when Windows firewall is ON ..?
I am observing SYN, SYN-ACK, ACK, and the FIN-ACK. At the bottom of the trace is FIN-ACK retransmission.
I'm not a windows guy, but having checked it seems to be switched ON.
Two-way communication seems open given the source and destination IPs appear cap file. I also see a single TLSv1 "Client Hello" containing 517 bytes, but nothing returns back for that.
I am suspecting that Windows firewall is allowing the handshake at Layer4, but blocks anything upwards (OSI) from there...
Any comments would be appreciated.
As far as I know the Windows Firewall operates only on L3 and 4, and can also allow/deny connections to single processes on OS level. But it is not able to block connections on higher levels.
My guess is that another firewall in the infrastructure is blocking the connection, or maybe the server don't like the suggested chipers and do not response to the client hello.
Can you provide the capture or at least the TLS handshake packet data?