Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1477
Views
0
Helpful
2
Replies

TLS 1.0 being forced when traffic traverses Cisco ASA

AbteenZ
Level 1
Level 1

‎10-30-2019 07:18 PM

Hi,

We are facing a curious case here.

 

We have been informed that https://sbsftp.benefitfocus.com/ is not accessible and we thought it is being black listed for whatever reason after we whitelisted the address nothing changed and after running a packet capture and comparing with another device on another network we realized that anything trying to go to that website behind the ASA will negotiate TLSv1 whereas other networks will negotiate TLSv1.2 and even we connected the working device with VPN to the same ASA with issues and we could replicate the issue.

 

I'm not entirely clear on how ASA treats https connections but from what I see it definitely changes the TLS negotiation.

 

If someone knows the fix and even better how ASA works in this case, I would be very thankful.

 

We have ASA version 9.8  with sfr modules 6.4.0.4 and URL filtering and IPS enabled.

 

Regards,

Abtin

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎10-31-2019 08:14 AM

It's not the ASA that acts on the traffic. But Firepower definitely could. Look at your decryption policies if you have some rules that act on the TLS version and/or configure a rule that allows this traffic through unmodified.

0 Helpful

AbteenZ
Level 1
Level 1
In response to Karsten Iwen

‎10-31-2019 11:24 AM

I don't have any SSL policies.

How can I pass this specific traffic unmodified?

 

Thanks,

Abtin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card