cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1107
Views
0
Helpful
2
Replies
AbteenZ
Beginner

TLS 1.0 being forced when traffic traverses Cisco ASA

Hi,

We are facing a curious case here.

 

We have been informed that https://sbsftp.benefitfocus.com/ is not accessible and we thought it is being black listed for whatever reason after we whitelisted the address nothing changed and after running a packet capture and comparing with another device on another network we realized that anything trying to go to that website behind the ASA will negotiate TLSv1 whereas other networks will negotiate TLSv1.2 and even we connected the working device with VPN to the same ASA with issues and we could replicate the issue.

 

I'm not entirely clear on how ASA treats https connections but from what I see it definitely changes the TLS negotiation.

 

If someone knows the fix and even better how ASA works in this case, I would be very thankful.

 

We have ASA version 9.8  with sfr modules 6.4.0.4 and URL filtering and IPS enabled.

 

Regards,

Abtin

2 REPLIES 2
Karsten Iwen
VIP Mentor

It's not the ASA that acts on the traffic. But Firepower definitely could. Look at your decryption policies if you have some rules that act on the TLS version and/or configure a rule that allows this traffic through unmodified.

I don't have any SSL policies.

How can I pass this specific traffic unmodified?

 

Thanks,

Abtin

Content for Community-Ad