cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1435
Views
5
Helpful
4
Replies

TLS Packet Decapsulation Question (AnyConnect SSL VPN)

WilliamLearner
Level 1
Level 1

Hello everyone!

 

I have a deeply technical question you might be interested in. 

 

All information is represented below on the slide:

 

TLS Packet Decapsulation QuestionTLS Packet Decapsulation Question 

 

Here is the WireShark screenshot (TLS packet was captured at the entrance to the ASA. The packet was decrypted by WireShark):

 

Decrypted TLS Packet at the entrance to the ASADecrypted TLS Packet at the entrance to the ASA

 

4 Replies 4

how this data decrypt ?
the DATA which will encrypt not the header, the header still appear to forward form hop to hop BUT, 
some protocol like IPSec add IP header to Data and hash it for integrity.
So I think this is normal DATA ..... will decrypt by ASA using TLS KEY to form the original packet data.

When TLS packet is encrypted,  we can't see the Hypertext Transfer Protocol in WireShark. 

 

After decrypting the TLS packet, we can see the Hypertext Transfer Protocol in WireShark. 

 

Do you think, that the TLS Packet was partial decrypted, and is that the reason why we can see the Hypertext Transfer Protocol  but cannot see ip and icmp headers? 

The SSL VPN decryption does not happen right after the packet hits the ASA outside interface, this is why when you take the packet capture on the outside interface it won't show in there. The only exception for this that I'm aware of is applicable to the IPSec traffic where you can use the keyword "include-decrypt" alongside the packet capture command on the outside interface, and that will show you the decrypted traffic processed by the ASA. I don't believe there is any similar option for the SSL VPN traffic, but no harm in trying to add that keyword and see if it makes any difference. With regard to the TLS header, the concept here is exactly the same as when you connect to a secure website, the external headers will still be shown on the Wireshark capture, but the data will not as it is encrypted inside the TLS tunnel. In fact, some firewalls nowadays rely on some TLS negotiation details including certificates to try to make the best guess of the traffic type, or of the visited websites.