Does it occur for all SSL/TLS

Quintin.Mayo · ‎07-06-2017

We are experiencing decryption issue with our two ASA 5555-x \Firepower appliances. We are receiving " ERR_SSL_Protocol_ERROR" when visiting sites. Restarting the browser temporarily resolves the issue, and disabling SSL decryption permanently resolves the issue. This is happening for various browsers and depending on the browser, the displayed message is different.

We run a WireShark trace and discovered the following error " TLSv1.2 alert level fatal, bad record MAC" within the trace. We have tried to add sites to the Trusted sites and ensure the Internet Time was sync'd with the computer time both were solution found during our research but no success with either. Any assistance in this matter would be greatly appreciated.

Marvin Rhoads · ‎07-06-2017

Does it occur for all SSL/TLS traffic or only for certain sites?

If the latter, it could be that they are resistant to man-in-the-middle by virtue of using certificate pinning or similar techniques. In those cases, you need to exempt the sites from your SSL policy.

If the former, it could be either an error in your FMC certificate (make sure it has a 2048-bit RSA key) or potentially a bug with Firepower.

If you aren't running the latest Firepower (6.2.0.2 as of right now), TAC will probably suggest you do so if you open a ticket on the issue.

Pavel Glushkov · ‎05-22-2018

Same problem. FP versions 6.2.2 and 6.2.3 both have it.

Reloading the page works, but the first attempt to open the website often fails with "ERR_SSL_DECRYPT_ERROR_ALERT" in Chrome.

ASA / Firepower - SSL Decryption Issues