Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
3
Replies

TLS 1.0 Handshake fails via S2S vpn tunnel

mcoupe
Level 1
Level 1

‎11-01-2021 09:39 AM

I have an aged Oracle environment which is running TLS 1.0 for the encryption of database data synchronized between two sites (upgrading is not an option).  When the database connection is made via an mpls network between the two sites there is no issue in the TLS negotiation however, when it runs through a site to site vpn connected between two FTDs 2110s running 6.6.4-59 (see tunnel details below) I'm seeing a TLS fatal alert (10) unexpected message and the connection is closed.

 

There is no ssl inspection policy configured. 

 

It seems to me that this is the cause of my database synchronization issues via the tunnel but I'm not sure how to resolve the problem.  Advice?

 

Encryption: AES-GCM,AES-GCM192,AES-GCM256
DH Group: 21,20,19,14
Integrity Hash: NULL
Lifetime: 86400
PRF Hash: SHA512,SHA384,SHA256
Priority: 10
Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎11-01-2021 11:04 AM

Hi,

Start by creating a top of list prefilter rule to allow database sync. This
is to test that FTD isn't doing any inspections causing issues.

Also, ensure that MSS adjust is configured for your L2L VPN and reduce MTU
value. This can be caused by fragmentation.

If both didn't help, perform a capture at ingress and egress interfaces of
FTD and analyze the pcaps to see if the error is caused by FTD or
another device.

**** please remember to rate useful posts
0 Helpful

mcoupe
Level 1
Level 1
In response to Mohammed al Baqari

‎11-01-2021 11:29 AM - edited ‎11-01-2021 11:32 AM

Thanks for the reply.  I should have mentioned that these are managed by FDM (and a vendor with whom I'm working).  My understanding with FDM (we use FMC ourselves so I'm not that familiar with FDM) is that you don't have the ability to create pre-filter or Fastpath rules.   It was one of the the first things I thought about.

 

The MSS setting is set to 0.  That doesn't seem correct to me and we have discussed changing that.  It seems like our next best course of action.  The tunnels have a default MTU of 1500.

 

I'm pretty confident that the issue is being caused by FTD, specifically the tunnel.  The traffic traverses the FTDs whether it goes through the tunnel or the mpls network but when I compare pcaps from each of the two paths, I'm only seeing the issue when the traffic takes the tunnel.  The TLS handshake is clean when traversing the FTD but routing to mpls rather than S2S vpn.

0 Helpful

mcoupe
Level 1
Level 1

‎11-02-2021 12:03 PM

It appears we have a fix at this point.  By adjusting the MSS setting on the FTDs to their maximum 1380 the fragmentation (in particular of the TLS handshake traffic) has been eliminated.  Thus far, the applications which have been re-routed back to the vpn tunnel are working. 

 

We're waiting for overnight synchronization jobs to complete without error before calling it fixed but the symptom we attributed to causing the failure has definitely cleared up in our testing.

0 Helpful
Customers Also Viewed These Support Documents