Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1190
Views
0
Helpful
1
Replies

ASA firepower SSL decryption rule behavior not as expected

tato386
Level 6
Level 6

‎01-21-2022 02:58 PM

I have several servers that use the same wildcard cert so I created a network group object that includes all these servers.  In the SSL policy I reference the group object in a "decrypt - known key" rule.   This worked pretty well until one of the servers was upgraded to Java 16.  ASA firepower decryption does not seem to work on Java 16 and SSL connections to this server broke.  So I thought I would just pull that host from the group until the Java 16 issue was resolved but the decryption rule kept breaking the traffic to the Java 16 server.  The I added a rule specifically for this server with "do not decrypt" and it still breaks traffic.  I ended up having to remove the SSL policy from the ACP.  So why is the firepower still messing with this flow if the destination does not match any rule and/or the matching rule is a "do not decrypt' rule?  Please see attachments for SSL policy and events associated with the issue

Preview file
123 KB
Preview file
78 KB
0 Helpful
1 Reply 1

tato386
Level 6
Level 6

‎01-25-2022 05:40 AM

Update:  even when using a pre-filter fastpath rule for the Java16 host the SSL traffic to this machine breaks.  Looks like I will have to open a TAC case. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card