cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3419
Views
0
Helpful
7
Replies

SSL Decryption on FTD appliances not working

ryan14
Level 1
Level 1

My SSL decryption policy is working but the FTDs are experiencing issues trying to decrypt sites that appear to be protected by cloudflare. For example, if I go to yahoo.com, I can see the certificate in my browser was intercepted by the FTD and the FTD is decrypt-resigning the traffic (via event viewer). However if I go to pcpartpicker.com, and look at the certificate, I can see that the FTD did not decrypt-resign as expected. When looking at the certificate via my browser it says issued by CloudFlare Inc (not my FTD). Another thing to note is that my connection in the browser shows a quick reset before actually loading the page. Does anyone else experience this behavior? I tested this across multiple FTDs 5508-X and FP2110 running 6.4.x and 6.6.0.1. Same behavior. Even with multiple browsers.

1 Accepted Solution

Accepted Solutions

In case anyone is wondering, this magically started to work when upgrading to version 7, with no changes on our end.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Could it be the problem connections are using quic (udp/443) and not classic https (tcp/443)?

The connection event shows tcp/443. What is interesting is ssl status is 'Do Not Decrypt (Uncached Session)'.  Not sure what that means.

I have this same exact issue, did you ever figure out a fix? We do not allow 443 UDP by default however as you mention the traffic in the connection events is showing 443TCP and a status of 'Do Not Decrypt (Uncached Session)'.

I upgraded to 6.6.1, ran into bug CSCvs99356.

 

Upgraded to 6.7 and hit a new issue where I get NET::ERR_CERT_AUTHORITY_INVALID when loading a new webpage. If I hit refresh or F5, the page then does load correctly, without any certificate error. Sites protected by cloudfare seem to now be decrypted by FTD, before in 6.4 they were not. I have pending TAC case for this new issue. I cannot reproduce this new issue in 6.4 or 6.6.1 across multiple sites with computers on the same domain and use the same SSL policy. Issuing a new certificate for decrypt policy has the same issue. I would be curious to know if someone else has this issue which I have opened a new thread on.

jonathankarras
Level 1
Level 1

This seems to be fixed in 6.6.3 now. I was seeing similar issues in 6.6.1. Hoping to upgrade soon.

Sigh, hopefully next release of 6.7 is out soon for this fix.

In case anyone is wondering, this magically started to work when upgrading to version 7, with no changes on our end.

Review Cisco Networking for a $25 gift card