cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2696
Views
0
Helpful
4
Replies

TLS Server Identity Discovery Causing Possible Issues

jmeetze
Level 1
Level 1

We recently installed new FTD's and have the option enabled under the Advanced Settings of our ACP for "TLS Server Identity Discovery".  Yesterday, we had an external user who was having issues accessing our main website.  FMC logs showed allows and no drops for this users traffic to the site.  

After reviewing logs of all traffic flow down to our load balancers, I found "TCP_Conn_Terminate" logs from the server.  I verified that this user had no issues access two other sites which go through our FTD.  The only difference in the sites was that the one that wasn't working is using TLS 1.3.  To resolve the issue, I had to create a FastPath rule in our pre-filter policy.  I'm still not sure why this setting would be the cause of the issue or if it could have been something else.  

Has anyone else had issues with enabling this setting when your sites are using TLS 1.3 server certificates?  Is there any other option other than to create a FastPath rule to bypass all inspection?  

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

I had a customer facing this same issue with 7.2.2 and using the Bomgar remote control software. TAC also advised them to use Fastpath. This was the identified bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd80741

I would not be surprised to see other applications affected.

View solution in original post

4 Replies 4

Divya Jain
Cisco Employee
Cisco Employee

Hi,
Can you tell what is the  FTD version that you are running?
It could be compatibility issue with TLS 1.3 but we do need to check logs / captures to verify more.  Can you also share screenshot or details about your current SSL policy config?
 Older versions had issue with TLS1.3 but with newer version shouldnt be an issue.
 

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

 


Regards,
Divya Jain

We are running version 7.2.2.  We are not doing any SSL decryption on traffic.  We just have the TLS Server Identity Discovery setting enabled under Advanced Options in our ACP.  See screenshot below.

jmeetze_0-1677605860645.png

Thanks!

 

Marvin Rhoads
Hall of Fame
Hall of Fame

I had a customer facing this same issue with 7.2.2 and using the Bomgar remote control software. TAC also advised them to use Fastpath. This was the identified bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd80741

I would not be surprised to see other applications affected.

Bomgar works with FTD 7.3 and TLS Server Identity Discovery enabled. Oddly, FTD 7.2.3 (recently released), Bomgar still doesn't work with TLS Server Identity Discovery enabled. The other odd thing with 7.3 though, I've had issues with remote FTD registration and need to fast path the connection to the remote FTD. I suppose it's recommended to fast path management traffic though....

Review Cisco Networking for a $25 gift card