ASA firepower SSL decryption rule behavior not as expected

tato386 — Fri, 21 Jan 2022 22:58:56 GMT

I have several servers that use the same wildcard cert so I created a network group object that includes all these servers. In the SSL policy I reference the group object in a "decrypt - known key" rule. This worked pretty well until one of the servers was upgraded to Java 16. ASA firepower decryption does not seem to work on Java 16 and SSL connections to this server broke. So I thought I would just pull that host from the group until the Java 16 issue was resolved but the decryption rule kept breaking the traffic to the Java 16 server. The I added a rule specifically for this server with "do not decrypt" and it still breaks traffic. I ended up having to remove the SSL policy from the ACP. So why is the firepower still messing with this flow if the destination does not match any rule and/or the matching rule is a "do not decrypt' rule? Please see attachments for SSL policy and events associated with the issue

Re: ASA firepower SSL decryption rule behavior not as expected

tato386 — Tue, 25 Jan 2022 13:40:35 GMT

Update: even when using a pre-filter fastpath rule for the Java16 host the SSL traffic to this machine breaks. Looks like I will have to open a TAC case.

topic Re: ASA firepower SSL decryption rule behavior not as expected in Network Security

ASA firepower SSL decryption rule behavior not as expected

Re: ASA firepower SSL decryption rule behavior not as expected