TLS 1.0 being forced when traffic traverses Cisco ASA
We are facing a curious case here.
We have been informed that https://sbsftp.benefitfocus.com/ is not accessible and we thought it is being black listed for whatever reason after we whitelisted the address nothing changed and after running a packet capture and comparing with another device on another network we realized that anything trying to go to that website behind the ASA will negotiate TLSv1 whereas other networks will negotiate TLSv1.2 and even we connected the working device with VPN to the same ASA with issues and we could replicate the issue.
I'm not entirely clear on how ASA treats https connections but from what I see it definitely changes the TLS negotiation.
If someone knows the fix and even better how ASA works in this case, I would be very thankful.
We have ASA version 9.8 with sfr modules 188.8.131.52 and URL filtering and IPS enabled.
It's not the ASA that acts on the traffic. But Firepower definitely could. Look at your decryption policies if you have some rules that act on the TLS version and/or configure a rule that allows this traffic through unmodified.
Enabling our customers to leverage their install base and take them to the next level with Cisco Secure Firewall Threat Defense has always been a key priority. - The latest release of our Firewall Migration Tool (FMT) will help customers with the mig...
Listen: smarturl.it/CCRS8E31 Follow us: twitter.com/ciscochampionCisco Champions Unfiltered is a different flavor of Cisco Champion Radio episodes dedicated to facilitating informal and informative conversations among Cisco Champions—focused on ...
Radius server configuration for 802.1XServer radius test1Address ipv4 10.1.1.1Key 1234!Server radius test2Address ipv4 10.1.1.2Key 1234!aaa group server radius TEST-grserver name test1server name test2!aaa authentication dot1x default group TEST-graaa aut...
One of the biggest concept in VPN Technologies is NAT Traversal, like NAT Traversal in VOIP deployment with SIP Protocol, the history is always inside the payload to solve the Incompatibility between NAT and IPSEC like the Incompatibility between SIP prot...