topic Re: TLS Server Identity Discovery Causing Possible Issues in Network Security

TLS Server Identity Discovery Causing Possible Issues

jmeetze — Thu, 09 Feb 2023 14:07:44 GMT

We recently installed new FTD's and have the option enabled under the Advanced Settings of our ACP for "TLS Server Identity Discovery". Yesterday, we had an external user who was having issues accessing our main website. FMC logs showed allows and no drops for this users traffic to the site.

After reviewing logs of all traffic flow down to our load balancers, I found "TCP_Conn_Terminate" logs from the server. I verified that this user had no issues access two other sites which go through our FTD. The only difference in the sites was that the one that wasn't working is using TLS 1.3. To resolve the issue, I had to create a FastPath rule in our pre-filter policy. I'm still not sure why this setting would be the cause of the issue or if it could have been something else.

Has anyone else had issues with enabling this setting when your sites are using TLS 1.3 server certificates? Is there any other option other than to create a FastPath rule to bypass all inspection?

Thanks in advance.

Re: TLS Server Identity Discovery Causing Possible Issues

Divya Jain — Tue, 28 Feb 2023 17:32:12 GMT

Hi,
Can you tell what is the FTD version that you are running?
It could be compatibility issue with TLS 1.3 but we do need to check logs / captures to verify more. Can you also share screenshot or details about your current SSL policy config?
Older versions had issue with TLS1.3 but with newer version shouldnt be an issue.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards,
Divya Jain

Re: TLS Server Identity Discovery Causing Possible Issues

jmeetze — Tue, 28 Feb 2023 17:38:27 GMT

We are running version 7.2.2. We are not doing any SSL decryption on traffic. We just have the TLS Server Identity Discovery setting enabled under Advanced Options in our ACP. See screenshot below.

Thanks!

Re: TLS Server Identity Discovery Causing Possible Issues

Marvin Rhoads — Wed, 01 Mar 2023 15:33:55 GMT

I had a customer facing this same issue with 7.2.2 and using the Bomgar remote control software. TAC also advised them to use Fastpath. This was the identified bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd80741

I would not be surprised to see other applications affected.

Re: TLS Server Identity Discovery Causing Possible Issues

Jack G — Mon, 13 Mar 2023 14:12:19 GMT

Bomgar works with FTD 7.3 and TLS Server Identity Discovery enabled. Oddly, FTD 7.2.3 (recently released), Bomgar still doesn't work with TLS Server Identity Discovery enabled. The other odd thing with 7.3 though, I've had issues with remote FTD registration and need to fast path the connection to the remote FTD. I suppose it's recommended to fast path management traffic though....