Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3211
Views
0
Helpful
4
Replies

TLS handshake error

Joel Fox
Level 1
Level 1

‎01-16-2020 12:24 PM - edited ‎02-21-2020 09:50 AM

Good afternoon - I have an issue where a user cannot access a banking site, and is getting an "end of file error" that references TLS. We have a cisco 5505 running 9.2.4(27). From what I've read, I need at least version 9.3(2), which that firewall cannot run. I'm just looking for conformation at this point; I can enable 1.0 but 1.2 isn't an option. If the only way to get around it is a newer firewall, then it looks like they're getting one. If I'm incorrect, please let me know!

0 Helpful
4 Replies 4

Sheraz.Salim
VIP
VIP

‎01-16-2020 12:30 PM

if user is getting an error while access the banking website is nothing to do with the 5505 firewall. yes in between user and banking website this firewall is doing packet inspection and transfer than how come problem is with 5505?

please do not forget to rate.
0 Helpful

Joel Fox
Level 1
Level 1
In response to Sheraz.Salim

‎01-16-2020 12:44 PM

I apologize, I should have elaborated more. We tested this with multiple computers on the network behind the firewall. On each computer we used Chrome, Firefox, and even Internet Exploder/Edge, all being denied. With the same computers, we jumped to the wireless network of the ISP bypassing the firewall and it worked. To me that points directly to the firewall. When connected to the firewall, there is a vpn tunnel back to the corporate office, but it is a split tunnel so all internet is local, bypassing any proxy server or WSA.
0 Helpful

Sheraz.Salim
VIP
VIP
In response to Joel Fox

‎01-16-2020 01:19 PM

show you past the show ssl output from your firewall.

 

show ssl

!

also going forward the 5505 are end of life and end of support. worth consider 5506-x (this is also gone end of life) or consider FTD 1001. this run the FTD sofware.

please do not forget to rate.
0 Helpful

Rob Ingram
VIP
VIP

‎01-16-2020 12:38 PM - edited ‎01-16-2020 12:40 PM

Hi,
I think configuring TLS on the ASA would refer to web sessions terminated on the ASA, such as ASDM and SSL-VPN, not traffic traversing the firewall. Take a packet capture from the client computer or span port, have a look at the TLS handshake and observe the errors (post the pcap here if you need further assistance).

 

Regardless, you should probably consider upgrading the ASA 5505, it doesn't offer much protection nowadays from today's threats. If you conside replacing it with a cisco firewall, consider Firepower 1010.

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card