Cisco FirePOWER SSL Block

chris.makely · ‎08-22-2019

Currently using FirePOWER, experiencing an unexpected SSL Block for some traffic, SSL rule has been created not to decrypt the traffic, URLs that are being accessed are whitelisted, SSL Flow error is Defer Cut Post CCs (0x0000197), SSL version TLSV1.2, The SSL flow flags show the handshake to be complete but yet FirePOWER is still blocking the traffic, I have an access policy for the internal source to allow all traffic from any network, any insight would be greatly appreciated. The service attempting to access my internal VMS is WISENet WAVESync

Marvin Rhoads · ‎08-23-2019

Have you tried a packet capture with trace while filtering on the interesting traffic?

chris.makely · ‎08-26-2019

Marvin,

I have not yet, that was my next step, i'll post with that data soon, thank you for the insight

Isaac Smith · ‎09-26-2022

Probably a long shot but I am also seeing this. We enabled a monitor only rule to check for TLS versions and then a default rule of do not decrypt but still see a SSL block with that same SSL error which I find odd DEFER_CUT_POST_CCS

tato386 · ‎11-09-2022

same exact error here. firepower ignores the "do not decrypt" SSL rule and gets blocked by default SSL rule. undecryptable actions are both block so no help there.