11-01-2021 09:39 AM
I have an aged Oracle environment which is running TLS 1.0 for the encryption of database data synchronized between two sites (upgrading is not an option). When the database connection is made via an mpls network between the two sites there is no issue in the TLS negotiation however, when it runs through a site to site vpn connected between two FTDs 2110s running 6.6.4-59 (see tunnel details below) I'm seeing a TLS fatal alert (10) unexpected message and the connection is closed.
There is no ssl inspection policy configured.
It seems to me that this is the cause of my database synchronization issues via the tunnel but I'm not sure how to resolve the problem. Advice?
11-01-2021 11:04 AM
11-01-2021 11:29 AM - edited 11-01-2021 11:32 AM
Thanks for the reply. I should have mentioned that these are managed by FDM (and a vendor with whom I'm working). My understanding with FDM (we use FMC ourselves so I'm not that familiar with FDM) is that you don't have the ability to create pre-filter or Fastpath rules. It was one of the the first things I thought about.
The MSS setting is set to 0. That doesn't seem correct to me and we have discussed changing that. It seems like our next best course of action. The tunnels have a default MTU of 1500.
I'm pretty confident that the issue is being caused by FTD, specifically the tunnel. The traffic traverses the FTDs whether it goes through the tunnel or the mpls network but when I compare pcaps from each of the two paths, I'm only seeing the issue when the traffic takes the tunnel. The TLS handshake is clean when traversing the FTD but routing to mpls rather than S2S vpn.
11-02-2021 12:03 PM
It appears we have a fix at this point. By adjusting the MSS setting on the FTDs to their maximum 1380 the fragmentation (in particular of the TLS handshake traffic) has been eliminated. Thus far, the applications which have been re-routed back to the vpn tunnel are working.
We're waiting for overnight synchronization jobs to complete without error before calling it fixed but the symptom we attributed to causing the failure has definitely cleared up in our testing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide