Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1798
Views
5
Helpful
4
Replies

URL Filtering and SSL decryption issues

Chess Norris
Level 4
Level 4

‎10-15-2018 04:29 AM - edited ‎03-12-2019 07:01 AM

Hello,

 

I am working with a customer that want to use the URL filtering function in his ASA 5545-X with firepower services.

I have a similar setup in my LAB for testing purpose and I have create a SSL Policy that are using a Microsoft CA signed certificate and I have some Windows 10 clients with ROOT certificates from the same CA.

However, I am having issues with some sites when using either Chrome or Firefox.

Everything is working fine in both IE and Edge browsers but some HTTPS pages (like https://www.cisco.com) are timing out with Chrome and Firefox. I have tried the workaround described here - https://www.cisco.com/c/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvh22181.html but it only helped for some of the pages. The only other thing I can think of is certificate pinning, but I am not sure that this is browser dependent. 

Anyone else have experienced similar issues with SSL decryption?

 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎10-15-2018 04:40 AM

Hi,
The Microsoft web browsers will look in the local certificate store and be able to validate/trust the Internal Microsoft CA certificate. However Chrome and Firefox do not look in the local machine store for the certificate, so will therefore produce the untrusted certificate error. You would need to configure the chrome/firefox browsers to trust your root CA.

HTH
0 Helpful

Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎10-15-2018 05:11 AM

Thank you for the answer. I did tried that on firefox after reading that this was a common issue with firefox, but the issue was still there. However, I will try the same in chrome when I am back home and see if it will fix the issue there.

I can add that when this issue happens, I don't see any warning about untrusted certificates. I just revived a timeout error after a while. 

0 Helpful

Chess Norris
Level 4
Level 4
In response to Chess Norris

‎10-15-2018 10:51 AM

I imported the root certificate in Chrome, but unfortunately it didn't solved the issue. I still getting the "ERR_TIMED_OUT" message in the browser after a while, If I click the "View Site information" button I see the following "Your connection to this site is not secure" 

0 Helpful

giovanni.jimenez
Level 1
Level 1
In response to Chess Norris

‎12-11-2018 09:07 PM

Did you solve this? Im having the "err_TIMED_OUT" when I try to connect to outlook.office365.com.

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card