Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
1
Helpful
2
Replies

firepower SSL policy cipher suite for default action

Go to solution
tato386
Level 6
Level 6

‎08-14-2024 01:25 PM

In my SSL/decryption policy advanced settings I have chosen the option to block unknown cipher suites and therefore in my connection logs I see lots of connections that are blocked due to unknown cipher suites, which is expected.  However, the particular cipher suite being blocked doesn't seem to be unknown.  It is available for selection in the FMC and can be added to custom cipher suite lists.  The problem is that these cipher lists can only be added to user defined decryption rules and the rule that is blocking this particular cipher suite is the default action.  I don't see where I can assign a cipher suite to the default rule.  Is there somewhere else where I can define which cipher suites are allowed?

TIA,

Diego

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tato386
Level 6
Level 6

‎09-21-2024 09:03 AM

So, it turns out that the "unknown cipher" suite error in the log is not generated because the FTD considers the cipher unknown, it is an error from the host side.  The connection events in question are triggered by Win2019 servers using MS Azure/Entra authentication services.  The MS Azure side is using TLS 1.3 and TLS_AES_256_GCM_SHA384 cipher suite both of which are unsupported and therefore "unknown" to Win2019.

My mistake was that since the error appeared in the FMC connectivity log I automatically assumed that it was the FTD reporting this cipher as "unknown".  I felt this was an error because FTD 7.4 supports TLS 1.3 and TLS_AES_256_GCM_SHA384.  I don't have any Win2022 servers to test with but I am fairly confident that this error will not be logged when Win2022 authenticates against MS Entra.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎08-17-2024 07:13 AM

However, the particular cipher suite being blocked doesn't seem to be unknown

Use 

System support ssl-debug 

Check if cipher is unknown or CN to SNI is mismatch of bac cert. 

MHM

Go to solution
tato386
Level 6
Level 6

‎09-21-2024 09:03 AM

So, it turns out that the "unknown cipher" suite error in the log is not generated because the FTD considers the cipher unknown, it is an error from the host side.  The connection events in question are triggered by Win2019 servers using MS Azure/Entra authentication services.  The MS Azure side is using TLS 1.3 and TLS_AES_256_GCM_SHA384 cipher suite both of which are unsupported and therefore "unknown" to Win2019.

My mistake was that since the error appeared in the FMC connectivity log I automatically assumed that it was the FTD reporting this cipher as "unknown".  I felt this was an error because FTD 7.4 supports TLS 1.3 and TLS_AES_256_GCM_SHA384.  I don't have any Win2022 servers to test with but I am fairly confident that this error will not be logged when Win2022 authenticates against MS Entra.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card