Re: Cisco ASA FTD & FMC - SSL decryption policy not working

supportgns · ‎04-25-2018

Hi,

I'm developing a lab with ASA FTD with FirePOWER (managed by FMC) and I want to apply an SSL policy Decrypt and Resign for only Social Network URLs. I've followed all steps related to certificates, trusted CAs and internal CAs. I have a CA in my Active Directory server and I ensured this one worked as a certificate authority.

However, when I access social networking sites like Facebook or Instagram, I see that SSL certificate is not signed by my ASA FTD, but it is signed by default. When I check connectiion events in FMC, I noticed flags appearing as follows:

SSL Status: Do Not Decrypt (Uncached Session)

SSL Flow Error: SESSION UNKNOWN (0xb9000575)

SSl Flow Flags: VALID, INITIALIZED, UNDECRYPTABLE, PRE_DECISION_ERROR, SSL_DETECTED, REUSED_SESSION, CLIENT_SESSION_ID_SEEN, SERVER_SESSION_ID_SEEN, CLIENT_HELLO_SESSTKT, CH_PROCESSED

I have a default SSL action set to Do Not Decrypt. I've trying to find out what do those Flags or Status mean, and I found information related to a Cisco bug CSCvi16024; I'm not sure if my FMC release is affected by this bug, because SSL status and flow error/flags messages are described in Cisco Bug search tool, but I can access Social Network sites with no problem; my Firepower Management Center version is 6.2.2 and I have a 90-day trial license still working.

Thanks for your help.

Marvin Rhoads · ‎04-25-2018

Is the certificate you are using in your SSL decryption policy a "certificate signing certificate"? It must be for it to act as a man-in-the-middle for outbound ssl/tls traffic.

https://supportforums.cisco.com/t5/firewalling/how-to-generate-a-csr-and-instal-a-certificate-on-an-ftd-device/td-p/3184467

supportgns · ‎04-25-2018

Hi,

What do you mean with "certificate signing certificate"? (I'm a bit new for FTD and FMC). For a better explanation of what I've done, these were the steps:

In my AD server, going to localhost:8443/certsrv and downloaded CA certificate chain to install it in the server's trusted root CA store so that the AD works effectively as a CA.
Download CA certificate (in PEM format).
Access FMC and upload the CA certificate (PEM) to PKI > Trusted CAs.
In PKI > Internal CAs, create a new CSR and the CA.
Upload the CSR to localhost:8443/certsrv in my AD server.
Download the signed certificate and install it to my Internal CA created.
Create the SSL policy using the Trusted CA and apply Decrypt - Resign action with my Internal CA created and edited previously.

I hope this answer be helpful.

Rob Ingram · ‎04-25-2018

Hi,
I think what Marvin is asking is what certificate template did you use when you signed the CSR? If using the Microsoft CA you need to select "Subordinate Certificate Authority" template.

HTH

supportgns · ‎04-25-2018

Ok, got it.

Effectively, I used the Subordinate Certificate Authority. I downloaded it in DER format and installed in the CA created in PKI > Internal CAs.

Marvin Rhoads · ‎04-26-2018

@Rob Ingram,

That's correct - the FMC certificate used in a decryption policy for outbound SSL/TLS decryption must itself be a Subordinate CA type. That's because it effectively "impersonates" the destination website to the client by presenting a certificate "on the fly" that represents to the client that the Firepower appliance or module intercepting the traffic is that actual destination website.

@supportgns

Make sure you have followed the steps carefully in the "Decrypt-Resign" instructions in the configuration guide.

supportgns · ‎05-02-2018

Hi,

Finally I found the issue. I had another Do Not Decrypt SSL policy configured, and it was placed so that it skipped my SSL Decrypt and Resign policy; I disabled that one because it was not necessary for me, and voila... decryption worked.

Thanks for your help.