topic Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized in Network Security

FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized Kybe

Jon Are Endrerud — Wed, 24 Apr 2024 13:27:31 GMT

Hello

We have a lot of clients getting the following error when contacting diffrent sites: ERR_SSL_PROTOCOL_ERROR, we have read that SonicWall and Palo Alto also have these problemes. Solution is to turn off "TLS 1.3 Hybridized Kyber Support" in chromium web browser, and/or I have tried to disable all SSL and "Early application detection and URL categorization" for 1.3 in FirePower.

We are using fw: 7.2.5, have created a TAC case and are waiting for answer.

Anybody else getting this ?

Regards

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

MHM Cisco World — Wed, 24 Apr 2024 13:42:56 GMT

Do you use any ssl encrypt policy?

MHM

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Wed, 24 Apr 2024 13:51:57 GMT

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

MHM Cisco World — Wed, 24 Apr 2024 14:00:24 GMT

In FMC

Policies > access control - access control

There is

Ssl policy

Can you confirm it not list any policy or not

MHM

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

jasitalymil — Wed, 24 Apr 2024 14:25:53 GMT

Hello,
I have same issue and I don't have ssl policy (FMC and FTD HA 7.2.5-208)

thanks
FF

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Wed, 24 Apr 2024 14:26:57 GMT

Im telling you there is no ssl policy, im trying to verify if this only are a browser problem or if there are fixes in 7.2.6.

Other firewall vendors are facing problems.

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

MHM Cisco World — Wed, 24 Apr 2024 14:43:39 GMT

https://bst.cisco.com/bugsearch/bug/CSCwf00417?rfs=qvlogin

Check this bug and it workaround

MHM

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Wed, 24 Apr 2024 15:20:57 GMT

This is not it, versions dont match, not error either. The problem arose 16 april approx when browser functionality was changes. Upgrade or not to 7.2.6 is the question.

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Wed, 24 Apr 2024 16:30:57 GMT

https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/

This is sonicwall post

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

MHM Cisco World — Wed, 24 Apr 2024 16:52:02 GMT

The traffic is https and hence ftd can not inspect inside the packet (without ssl policy).

I shate with you bug and one of workaround is use prefilter' or you can use ACP match applications https action is trust.

MHM

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

SFrahm — Thu, 25 Apr 2024 06:01:23 GMT

We are seeing the same thing on 7.2.5.1
Prefilter rules do fix it, but since it is a lot of websites not working it is really not a way to go. We have also created a TAC case on the issue. Looking around different forums many are seeing this issue, not just on firepower.
Hope to get an update soon as this is a major issue for customers.

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

patoberli — Thu, 25 Apr 2024 06:48:01 GMT

Same problem seems to happen if a WSA (Secure Web Appliance) is in the path. No workaround there yet, besides disabling Kyber Support in the client browsers.

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Thu, 25 Apr 2024 08:10:28 GMT

After going through diffrent blogs and sites of other verdors, I see this has been a discussion going on for months. Seeing discussions on fortinet site in nov last year. Chromium developers are blaming firewall/security vendors for the problem. I guess we are stuck in the middle. Problems started with versions Chrome 124.0.6367.61 and Edge Version 124.0.2478.51.

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

MHM Cisco World — Thu, 25 Apr 2024 08:11:59 GMT

I dont have time these day, if you can wait me to next weekend and I will check again

thanks for waiting

MHM

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

swilke318 — Thu, 25 Apr 2024 19:53:06 GMT

Same issue on FMC and FTD HA 7.2.6. What a fun time figuring that one out.

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Fri, 26 Apr 2024 07:25:41 GMT

Thank you for this verification. I still havent got an initial answer from TAC on this.

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Fri, 26 Apr 2024 11:16:39 GMT

We have the problem when traffic is fastpath also, is this a browser problem alone or what do you think ?

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

MHM Cisco World — Fri, 26 Apr 2024 11:34:52 GMT

Fastpath of prefilter is done and you face same issue?

MHM

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Fri, 26 Apr 2024 11:36:34 GMT

Yes, some helpdesk cases just came in from IP's in the prefilter-fastpath rules.

Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud — Fri, 26 Apr 2024 11:43:22 GMT

Forget this post, after som tshoot, there was an error in the interface list.