Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3373
Views
0
Helpful
7
Replies

SSL Decryption on FTD appliances not working

Go to solution
ryan14
Level 1
Level 1

‎08-07-2020 11:39 AM

My SSL decryption policy is working but the FTDs are experiencing issues trying to decrypt sites that appear to be protected by cloudflare. For example, if I go to yahoo.com, I can see the certificate in my browser was intercepted by the FTD and the FTD is decrypt-resigning the traffic (via event viewer). However if I go to pcpartpicker.com, and look at the certificate, I can see that the FTD did not decrypt-resign as expected. When looking at the certificate via my browser it says issued by CloudFlare Inc (not my FTD). Another thing to note is that my connection in the browser shows a quick reset before actually loading the page. Does anyone else experience this behavior? I tested this across multiple FTDs 5508-X and FP2110 running 6.4.x and 6.6.0.1. Same behavior. Even with multiple browsers.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ryan14
Level 1
Level 1
In response to ryan14

‎07-22-2021 06:10 AM

In case anyone is wondering, this magically started to work when upgrading to version 7, with no changes on our end.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-07-2020 11:47 AM

Could it be the problem connections are using quic (udp/443) and not classic https (tcp/443)?

0 Helpful

Go to solution
ryan14
Level 1
Level 1
In response to Marvin Rhoads

‎08-07-2020 01:28 PM

The connection event shows tcp/443. What is interesting is ssl status is 'Do Not Decrypt (Uncached Session)'.  Not sure what that means.

0 Helpful

Go to solution
JohnDenver2135
Level 1
Level 1
In response to ryan14

‎12-08-2020 07:22 AM - edited ‎12-08-2020 07:22 AM

I have this same exact issue, did you ever figure out a fix? We do not allow 443 UDP by default however as you mention the traffic in the connection events is showing 443TCP and a status of 'Do Not Decrypt (Uncached Session)'.

0 Helpful

Go to solution
ryan14
Level 1
Level 1
In response to JohnDenver2135

‎12-08-2020 08:28 AM

I upgraded to 6.6.1, ran into bug CSCvs99356.

 

Upgraded to 6.7 and hit a new issue where I get NET::ERR_CERT_AUTHORITY_INVALID when loading a new webpage. If I hit refresh or F5, the page then does load correctly, without any certificate error. Sites protected by cloudfare seem to now be decrypted by FTD, before in 6.4 they were not. I have pending TAC case for this new issue. I cannot reproduce this new issue in 6.4 or 6.6.1 across multiple sites with computers on the same domain and use the same SSL policy. Issuing a new certificate for decrypt policy has the same issue. I would be curious to know if someone else has this issue which I have opened a new thread on.

0 Helpful

Go to solution
jonathankarras
Level 1
Level 1

‎03-17-2021 12:39 PM

This seems to be fixed in 6.6.3 now. I was seeing similar issues in 6.6.1. Hoping to upgrade soon.

0 Helpful

Go to solution
ryan14
Level 1
Level 1
In response to jonathankarras

‎03-17-2021 02:25 PM

Sigh, hopefully next release of 6.7 is out soon for this fix.

0 Helpful

Go to solution
ryan14
Level 1
Level 1
In response to ryan14

‎07-22-2021 06:10 AM

In case anyone is wondering, this magically started to work when upgrading to version 7, with no changes on our end.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card