cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1872
Views
15
Helpful
7
Replies

Cisco Firepower User Agent support for TLSv1.2

borman.bravo
Beginner
Beginner

Can someone please confirm if the Firepower user agent 2.4 supports TLSV1.2? I disabled TLSV1.0 in my Windows Domain Controller 2016 and I'm not getting any mappings anymore, thank you.

7 Replies 7

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

User Agent to FMC should support strong ciphers.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/24/config-guide/Firepower-User-Agent-Configuration-Guide-v2-4/ConfigAgent.html

Is your User Agent running on the DC itself?

Hi Marvin, yes it is running in the domain controllers, thanks

Thank you for your reply and Happy New Year!

The article you referred me to has no mention of TLS v1.2 support for User Agent which is the question I had, would you know if this is supported in 6.4?

nspasov
Cisco Employee
Cisco Employee

I would recommend reaching out to Cisco TAC to have this verified but the last time I checked the User Agent only supported TLSv1.0. 

Thank you for rating helpful posts!

I'm seeing a similar issue.  According to this, no.  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve30062/?rfs=iqvred

 

I'm flabbergasted by the suggested  workaround.   Is this a push to get people off the FREE User agent and requiring a  license ICE product.........

 

CSCve30062

Symptom:
User agent cannot communicate with the Firepower Management Center. The following error is displayed on the user agent:

[The client and server cannot communicate, because they do not possess a common algorithm]

Conditions:
The server hosting the user agent has TLS 1.0 disabled.

Workaround:
Enable TLS 1.0 on the machine where user agent is running. If security policy forbids enabling TLS 1.0 on that machine, install the user agent on a different machine. (For security reasons, you might not want the TLS 1.0 to run on your Active Directory server, for example.)

It definitely is, the user agent is going out of support and our fixes are to either re-enable TLS 1.0 (can't happen) or utilize ISE-PIC. We don't currently utilize ISE in our environment, so in order to have this functionality we would have to bring it in. 

 

Yes, that is my understanding as well now, was informed by TAC that ISE-PIC was the recommended approach...either that or replace with Palos :)

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers