cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1564
Views
5
Helpful
7
Replies

cisco ASA-X SSL inspection(known-key) Problem

Hi
i have ASA5555-X with firepower module
i use ASDM for manage ASA and use FMC(6.4.0.4) for manage FIREPOWER
(use inline mode for asa traffic to firepower)

i have a web server in DMZ
i config Decrypt-Known key method for outbound traffic that access to my webserver in DMZ

i add my webserver certificate and private key in PKI / INTERNAL CERTS in FMC
i create rule in ssl and so i call ssl policy in Access Control Policy
i think all configure is ok
but i can not see my website from outside


i check event log
action =block
reaseon =ssl block
ssl flow error = unsupported ec curve (0xb9001d57)

can anyone help me ?

 

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

It appears you are hitting this bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn57284?rfs=iqvred

A work around is included in the bug notes.

View solution in original post

Can you please confirm that your mail server uses the same wildcard certificate as the other servers?

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

It appears you are hitting this bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn57284?rfs=iqvred

A work around is included in the bug notes.

thanks for solution

it works fine for my websites inspect

but

so i have a microsoft exchange  server that i want inspect it too

, but i have problem for my microsoft exchange webpage after knownkey method

can you help me about it , too ?

 

 

 

 

 

Marvin Rhoads
Hall of Fame
Hall of Fame

The entries in your mail4.jpg attachment indicate "Invalid Issuer". Have you imported the issuing CA's certificate as a trusted certificate?

Unfortunately, I do not understand what you mean


i have a one wildcard certificate for all subdomain
and i import these ( certificate and private key) in  INTERNAL CERTS
and all websites are ok except exchange webpage
i dont have import ca certificate as a trusted certificate !!

Unfortunately , i have no information about import ca certificate as  a trusted certificate

 

Can you please confirm that your mail server uses the same wildcard certificate as the other servers?

yes sir

 

thanks alot

the problem was solved

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: