Intermittent connection issues loading/changing site- secure connection failed/site can't be reached

EDIflyer · ‎22-10-2023

Is anyone else occasionally getting a 'connection down' error from Chrome (or 'Secure Connection Failed' from Firefox) when changing page - if I hit refresh it works fine. At first I wondered if it was the site I was using but have noticed it on multiple different major websites over the past couple of months and not noticed it from other locations where I don't use Three Broadband so does seem to be related to the router/connection (this is via wired Ethernet too, so not a WiFi problem). I've tried changing DNS server in case that helps but no difference.

It mainly seems to happen when trying to first load a site or (annoyingly) at checkout when a different site is being loaded as part of the checkout process. It certainly doesn't happen everytime but does happen with reasonable frequency. I've also noticed I often get it when trying to pull/push from/to Github too and have to do so a number of times for it to work (browsing the Github website works fine).

I'm using a NR5103E with Firmware Version V1.00(ACBJ.0)b14 - I tried rebooting it but to no effect.

lordmerchant1 · 6 hours ago

FIXED: Docker EOF Errors (Caused by ISP DNS Interference)

Hey all, I've been sick as a chip with this issue for months — pulling Docker images would constantly throw "unexpected EOF" or "context cancelled". I was ready to install a Virgin line on the 24th. BUT... today I gave it one last go with some AI help, and this fix looks solid so far (1+ hour of clean pulling — more than I’ve ever managed).

What’s Causing It?
Since late 2023, many of us on this ISP have experienced image pulls randomly crashing. Turns out, it’s DNS hijacking or TLS interference by the ISP. This messes with Docker registry traffic — especially for large, multi-layer images — and causes them to fail.

The Fix in Short:
- Run Unbound on your Pi/home server — your own recursive DNS resolver
- Point Pi-hole (or Docker or system-wide) at it
- All DNS now avoids Google, Cloudflare, AND your ISP
- Result? No more EOFs, secure DNS, faster pulls

What You Need:
- Raspberry Pi (or any Linux box)
- Docker (Portainer optional)
- Pi-hole (optional but helpful)
- Around 15 mins of setup

Setup Steps:

1. Create the config folder:
sudo mkdir -p /portainer/files/appdata/config/unbound
cd /portainer/files/appdata/config/unbound

2. Download root DNS hints:
sudo nano root.hints
Paste the contents from https://www.internic.net/domain/named.root

3. Create unbound.conf:
sudo nano unbound.conf
Paste the following:

server:
verbosity: 1
interface: 0.0.0.0
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
access-control: 0.0.0.0/0 allow
root-hints: "/opt/unbound/etc/unbound/root.hints"
edns-buffer-size: 1232
prefetch: yes
cache-min-ttl: 3600
cache-max-ttl: 86400

forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1

4. Set file permissions:
sudo chown -R 1000:1000 /portainer/files/appdata/config/unbound
sudo chmod -R 755 /portainer/files/appdata/config/unbound

5. Deploy Unbound in Docker:

version: "3.8"
services:
unbound:
image: mvance/unbound-rpi:latest
container_name: unbound
restart: unless-stopped
ports:
- "5335:53/udp"
- "5335:53/tcp"
volumes:
- /portainer/files/appdata/config/unbound:/opt/unbound/etc/unbound

6. Point Pi-hole to it:
Go to Pi-hole > Settings > DNS
Enter 127.0.0.1#5335
Uncheck all other upstreams (Cloudflare, Google, etc.)
Save and restart DNS

Test That It Works:
Run this:
dig +short example.com @127.0.0.1 -p 5335
If you get a valid IP back — it’s working

Optional Docker Pull Test Script:

Create a file called docker-pull-test.sh with this content:

#!/bin/bash
IMAGES=(
linuxserver/nextcloud
portainer/portainer-ce
qmcgaw/gluetun
postgres:15
mongo:7
nginx
node:18
wordpress
redis:alpine
homeassistant/home-assistant
)

for IMAGE in "${IMAGES[@]}"; do
echo "Pulling $IMAGE..."
docker pull $IMAGE
done

echo "Cleaning up..."
for IMAGE in "${IMAGES[@]}"; do
docker rmi -f $IMAGE
done

Make it executable:
chmod +x docker-pull-test.sh
Run it:
./docker-pull-test.sh

Conclusion:
No VPN split-tunneling needed. No Gluetun wrappers. Just clean, recursive DNS.
If this helps anyone else, I’ll be buzzing — let me know and I’ll share full root hints or docker-compose templates.

Will update after 24–48hrs of use, but so far? Rock solid.

Happy pulling,
Rob

EDIflyer · Wednesday

OP here - have just come on to say goodbye and good luck! Unfortunately 18 months after first raising this issue it was still happening for me. A VPN helped but was a pain for smart TVs, etc. and I just wanted a decent reliable connection. Fibre to the premises became available in my area so I've now left Three and moved to a new 1Gbps symmetric service. It's certainly a blessed relief to not have to worry about these SSL errors anymore! My early termination charges were wiped and I also raised a formal complaint with the Executive Office last year who have looked after things appropriately - for anyone still experiencing issues I would certainly recommend formally logging things and not just rely on posting here. I'll remain subscribed to the thread out of interest and hope it does get resolved!

Nameless · Sunday

Life gets busy...

To no surprise, the PR_END_OF_FILE_ERROR still exists...

Maybe Three is trying really hard to maintain this issue? I have not seen any significant changes...

x-c311 · Monday

Still no fix for me, I've seen it on my phone as well connected to 5G on the same mast, so its not just a broadband thing

Nameless · 3 weeks ago

I just did a quick test

To no surprise, the PR_END_OF_FILE_ERROR still exists...

How are things for you all?

torz77 · 3 weeks ago

No change, no update, no sign of any work being done to remedy the situation. Surprised? No.

bytespider · 3 weeks ago

Yeah it's been really bad for me this morning!

GE3 · a month ago

New customer here. Hitting the same problems. At first I thought it was down to using an old version of Firefox, the ESR release, whereas another computer using the latest release didn't seem to hit it. But then I found it happened everywhere. I have the Three ZTE MC888A Hub.

I have a fairly easy way to recreate the problem so was hoping to add value to this thread. But I'm basically doing what @torz77 was doing back in September (Dates confused me, Why the American format?!) And I suspect @_duncan_ is even closer with the openssl command.

Had a very frustrating chat with support today, who are obviously useless but also seem unwilling to escalate an issue. I asked if there was a ticket system they can send me a link to so I could add the scripts I've written but they said no. So for a joined up conversation this forum seems to be as good as it gets.

I'm likely repeating a lot of this thread, but it's good to have a full problem summary so here I go....

Frequent errors in Firefox for PR_END_OF_FILE_ERROR. Chrome affected too with a slightly different error. Affects some sites, but not all. Biggest site I've seen fail is Wikipedia, so I usually test with that. I simplified it to a curl command, which works on Window, Mac and Linux.

curl -sv https://www.wikipedia.org

It fails about 1 time in 4. Example errors are in pastebin for Windows, Mac and Linux. They show problems during TLS handshake. My initial searching suggested this is caused by a misconfigured Proxy. I don't have one, but I bet Three has many.

To make it easy to recreate the error I made scripts that run curl 100 times and print out stats of how many failures there were. Windows batch script here. Mac/Linux Bash script here. Run the script with a URL as the argument, eg

testUrl.sh https://www.wikipedia.org

Tests I have done with these scripts....

Being connected to the hub over wifi has failures.
Being connected to the hub over a cable has failures.
Using my landline ISP, NowTV (really Sky Broadband) never fails.
Tethering to my mobile phone and using Lebara (MVNO on Vodafone) never fails.
Taking the Three SIM out of the Hub and putting it in my mobile phone and tethering as above has failures.
Windows, Mac OS and Linux all show failures failures connected to Three and no failures on NowTV and Lebara.
Tunnelling through Tor shows no failures (this was my simple VPN test, run the Tor Browser and then add curl argument "--socks5-hostname localhost:9150")
HTTP sites always work - no surprise, the problem is TLS handshake and TLS isn't used in HTTP.

I think the above tests prove there's a problem with Three, and it's not a problem with the Hub. There's something in Three's network, perhaps something that handles 1/4 or 1/5 of the traffic in a particular direction that is misconfigured.

What's so horrifying is this thread is 15 months old, others have given the commands to recreate the problem and @JonathanB says

we haven't been able to reproduce the issue on our side

Well have my scripts. If you can't recreate from that, there's no hope of ever solving it.

Three has proven to me that mobile broadband is viable as home broadband. Much faster than my landline and the 5G is stable. But Three can't manage its network properly. I'm still in my 30 return period, so I need to decide soon if buying a VPN to put over the top of this, or jumping to a more expensive provider, or a cheaper SIM-only deal and adding the expense of buying my own hub.

GE3 · 3 weeks ago

Update: I jumped ship, cancelled with Three and moved to a non-Three MVNO SIM only deal that's cheaper and a one month contract so it's easy to switch if they develop problems. Buying a router will push the total cost higher than Three, but I'd rather pay more for a good service than pay less for something with basic issues.

I specifically mentioned this thread in the web chat when I cancelled my contract. Best of luck to everyone suffering the network problems here. Keep the pressure on and maybe the mountain will move.