topic Re: ASA has problem with SSL config in Network Security

ASA has problem with SSL config

RANT — Thu, 30 Apr 2026 21:53:50 GMT

Have FPR1010 that connects to c2960 and drops SSL when user tries to launch program. Switch shows one class-map with errors and User states getting errors. "The error SSL connect error (openssl ssl_connect: ssl_error_syscall) indicates that the TLS handshake between your client and the server failed, often due to certificate issues, protocol mismatches, or network interruptions."

Real error is:

Re: ASA has problem with SSL config

Mark Elsen — Fri, 01 May 2026 06:40:16 GMT

- @RANT What are you trying https or SSL ?

Re: ASA has problem with SSL config

Aref Alsouqi — Fri, 01 May 2026 08:30:58 GMT

Could you please share your sanitized configs and topology for review?

Re: ASA has problem with SSL config

pieterh — Sat, 02 May 2026 10:30:13 GMT

two possibilities come to my mind
1) the FPR uses SSL inspection ( man in the middle of the SSL link)
2) the FPR recognizes the used protocol (more specific than only SSL) to the "render server" but is not configured to forward this.

Re: ASA has problem with SSL config

RANT — Mon, 18 May 2026 13:45:51 GMT

The cause is called Elephant Flow, and we found that the issue is on the outside interface of the FPR1010-ASA. Packets are being dropped at a large amount. From my BR I did a trace and found ICMP and UDP drop at over 39%. But let me explain more! We are using ASA's to also route EIGRP across the network. In this scenario I have two ASA's before I connect to the core switch. So basically, I have an ASA at one location that I connect via the outside interface to another ASAs inside interface. With NO redistribution on either device. Strange I know, yet traffic flows thru both to core switch. When LARGE traffic or images transverses the connection it gives a jitter. My question is should I put a redistribution on the ASAs or configure a NAT to allow all traffic to core?

Re: ASA has problem with SSL config

Aref Alsouqi — Wed, 20 May 2026 08:27:11 GMT

I don't believe redistribution or NAT would play any role here because from what you explained the traffic is not fully dropped, some passes and some not. I believe it might be an issue with the firewalls resources that can't cope with that amount of traffic?