Re: Problem with SSL inspection in FTD

ahmadtec9 · ‎11-26-2021

Hello everyone

I have a weird problem with configuring SSL inspection In Cisco FTD , every time I enable SSL policy In ACP all ssh session that go through FTD will be drop after 10 to 20 seconds .

even configuring all SSL Rule to do not decrypt still have the problem !

also I select "inherit Default Action" in Undecryptable encryption tab which is do not Decrypt.

thanks

Marvin Rhoads · ‎11-26-2021

Generally an SSL decryption policy should apply to SSL traffic which is specified via a combination of the application ("SSL"), port (tcp/443) and address sections of the rule(s). Can you share more details on how you have yours configured?

ahmadtec9 · ‎11-26-2021

At the beginning I define a simple rule like :

src-zone=inside dst-zone= outside network=my-pc action >>> Decrypt-Resign

Default action : do not decrypt

After Enable SSL policy in ACP all SSH traffic from any zone to other zone Will be drop .

after getting problem define a rule at the top of SSL Policy to do not decrypt any packet that dst-port=22

but nothing change !

balaji.bandi · ‎11-26-2021

SSL policy should use port 443, SSH uses port 22, so there may be something missing in the ACP.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahmadtec9 · ‎11-26-2021

Before applying SSL policy to ACP everything is fine and there is no problem with ssh Connection.

I'm not sure, but is there any possibility that SSH use some sort of TLS protocol that ssl inspection deny it ?

Marvin Rhoads · ‎11-26-2021

Your SSL policy should be built so that it ONLY selects SSL traffic.

i.e., make the application "SSL Client" and the destination port HTTPS.