Re: SSL Traffic Capture on FTD

Fantas · ‎10-01-2020

Hi,

we have internal client talking to outside but I cant see ant traffic on FTD and Looks its communication is not reaching at that level and breaks at SSL handshake. Server guy confirmed me that ssl handshake is not completing.

Can I capture ssl handshake traffic on ftd to see If ssl is the problem for this communication.

balaji.bandi · ‎10-02-2020

Hope you are not looking Decrypt the SSL, but as per the post, you looking simple end-to-end TCP handshake to prove the packet coming in FTD and leaving to destination.

below troubleshoot prove and explain when you enable capture. Hope you do not have any other uplink side device which does NAT or any other sort ?

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mohammed al Baqari · ‎10-02-2020

Hi,

You can capture ssl traffic and look at the handshake (basically client
hello and server hello are the handshake messages). A failure in handshake
will generate a reset by the other party. These hellos can be seen without
decrypt.

***** please remember to rate useful posts

Fantas · ‎10-02-2020

Thanks,

Yes I want to look at the handshake level only without decrypting ssl traffic.

what CLI should I use to get this Info on FTD CLI.

Mohammed al Baqari · ‎10-02-2020

Hi,

You can go to system support diag command and capture #name# #if-name# ....
etc to capture the traffic on outside interface. Then export it as pcpa
file. Or you can generate the capture from fmc or fdm. Just lookup the
steps online.

**** please remember to rate useful posts