cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1724
Views
5
Helpful
5
Replies

Problem with SSL inspection in FTD

ahmadtec9
Level 1
Level 1

Hello everyone

I have a weird problem with configuring SSL inspection In Cisco FTD , every time I enable SSL policy In ACP  all ssh session that go through FTD will be drop after 10 to 20 seconds .

even configuring  all SSL Rule to do not decrypt still have the problem !

also I select "inherit Default Action" in  Undecryptable encryption tab which is do not Decrypt.

 

thanks

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Generally an SSL decryption policy should apply to SSL traffic which is specified via a combination of the application ("SSL"), port (tcp/443) and address sections of the rule(s). Can you share more details on how you have yours configured?

At the beginning I define a simple rule like :

src-zone=inside  dst-zone= outside    network=my-pc     action >>> Decrypt-Resign

Default action : do not decrypt

After Enable SSL policy in ACP all SSH traffic  from any zone to other  zone  Will be drop .

 

after getting problem define a rule at the top of SSL Policy to do not decrypt any packet that dst-port=22

but nothing change !

 

balaji.bandi
Hall of Fame
Hall of Fame

SSL policy should use port 443, SSH uses  port 22, so there may be something missing in the ACP.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Before applying SSL policy to ACP everything is fine and there is no problem with ssh Connection.

I'm not sure, but is there any possibility that  SSH use some sort of TLS protocol that ssl inspection deny it ?

Your SSL policy should be built so that it ONLY selects SSL traffic.

i.e., make the application "SSL Client" and the destination port HTTPS.

Review Cisco Networking for a $25 gift card