Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1436
Views
1
Helpful
12
Replies

Can't update anything via proxy in Cisco FMC

sina.naser
Level 1
Level 1

‎05-28-2023 12:00 AM

Hi everyone

Due to oraganization's policies We Update our servers through HTTP proxy.

We have a Cisco FMC (VM, version 7.0.5) and want to system, VDB, Snort update through proxy. proxy server connection is ok. But when I hit download after few minutes I encounter this error "Peer certificate cannot be authenticated with known CA certificates" .

What should I suppose to do in this case?

I appreciate any help

Tnx in advance

0 Helpful
12 Replies 12

Rob Ingram
VIP
VIP

‎05-28-2023 01:37 AM

@sina.naser are you doing SSL decryption on the proxy? If so perhaps add an exclusion for the FMC or add the proxy root cert to the FMC as a trusted certificate.

0 Helpful

sina.naser
Level 1
Level 1
In response to Rob Ingram

‎05-28-2023 02:25 AM

Tnx for your reply. No SSL decryption. It's simple Mikrotik Proxy 

0 Helpful

sina.naser
Level 1
Level 1
In response to Rob Ingram

‎05-29-2023 03:03 AM

This is a forced task that assigned to me. Do you have any other idea?

Tnx

0 Helpful

MHM Cisco World
VIP
VIP

‎05-29-2023 03:31 AM

If you face issue with ssl inspection then why you not make this traffic bypass ssl inspection?

0 Helpful

sina.naser
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2023 04:32 AM

I fastpath the traffic to the proxy via prefilter. So no SSL inspection in FTD. I saw this message a bug in previous versions. But This FMC updated to the latest suggested version

MHM Cisco World
VIP
VIP
In response to sina.naser

‎05-29-2023 04:56 AM

what is Firepower platform you have ?

0 Helpful

sina.naser
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2023 05:04 AM

FPR 2110 running FTD 7.0.5

0 Helpful

MHM Cisco World
VIP
VIP
In response to sina.naser

‎05-29-2023 06:38 AM

clear conn address <<- clear the traffic in FPR and check again.

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎05-29-2023 05:12 AM

If you are using a MikroTik proxy server and encountering the "Peer certificate cannot be authenticated with known CA certificates" error while trying to update your Cisco FMC (Firepower Management Center) through the HTTP proxy, the issue is likely related to SSL certificate verification.

can you also check proxy server logs, examine the logs on your MikroTik proxy server to identify any errors or issues related to the SSL handshake or certificate verification. The logs may provide valuable information and lead to reslove the FMC issue.

please do not forget to rate.
0 Helpful

sina.naser
Level 1
Level 1
In response to Sheraz.Salim

‎05-29-2023 05:36 AM - edited ‎05-29-2023 05:44 AM

Mikrotik doesn't show any descriptive logs just show the IPs. Is there any specific configuration that I must consider in mikrotiK for this issue?

 

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to sina.naser

‎05-29-2023 08:05 AM

Its difficult to say could you confirm if you can run the packet capture on both end and capture the data.

also please confirm if anything is change in the path for FMC. how it was upgraded (fmc) last time where the same proxy was used?

please do not forget to rate.
0 Helpful

sina.naser
Level 1
Level 1

‎06-09-2023 11:19 PM

Last week Cisco made the version 7.2.4 suggested. I have updated to this version and the problem solved!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card