We recently had customers pointing toward the fact, that when implemented into a Nebula Site, using an NSG with the Nebula Security Services (NSS), Amazon Alexa /Echo / Dot Gen4 devices do not properly work. Symptoms reported are that the initial configuration does not work as well as there are random disconnections of the device to the Amazon Server.
So far, our investigation has shown that it seems that the Amazon devices partially use older versions of encryption, such as SSLv3, compared to newer standards such als TLSv1.2 and TLSv1.3
In our latest addition to Nebula, the USG FLEX Series , the solution to this issue is quite easy: simply navigate to the Content Filter menu and set the unit up to deactivate any SSLv3 attempts - this should force the Amazon end-devices to use newer encryption technologies and has proven to work well.
Nebula Control Center > USG FLEX > Configure > Security Service
On the NSG series however, this feature is hidden under the CLI, unfortunately the web interface does not present a button to you as the USG FLEX menu does. In order to still get this to work on your NSG, connect yourself via SSH from the LAN side of the NSG and type in the following code:
Entering this code should make your Nebula Security Gateway (NSG) fully function in conjunction with Amazon Alexa/Dot/echo devices and their respective backend servers.