Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1193
Views
5
Helpful
4
Replies

TLS Packet Decapsulation Question (AnyConnect SSL VPN)

WilliamLearner
Level 1
Level 1

‎03-19-2022 02:53 PM

Hello everyone!

 

I have a deeply technical question you might be interested in. 

 

All information is represented below on the slide:

 

TLS Packet Decapsulation QuestionTLS Packet Decapsulation Question 

 

Here is the WireShark screenshot (TLS packet was captured at the entrance to the ASA. The packet was decrypted by WireShark):

 

Decrypted TLS Packet at the entrance to the ASADecrypted TLS Packet at the entrance to the ASA

 

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎03-19-2022 05:23 PM

how this data decrypt ?
the DATA which will encrypt not the header, the header still appear to forward form hop to hop BUT, 
some protocol like IPSec add IP header to Data and hash it for integrity.
So I think this is normal DATA ..... will decrypt by ASA using TLS KEY to form the original packet data.

0 Helpful

WilliamLearner
Level 1
Level 1
In response to MHM Cisco World

‎03-20-2022 01:30 AM

When TLS packet is encrypted,  we can't see the Hypertext Transfer Protocol in WireShark. 

 

After decrypting the TLS packet, we can see the Hypertext Transfer Protocol in WireShark. 

 

Do you think, that the TLS Packet was partial decrypted, and is that the reason why we can see the Hypertext Transfer Protocol  but cannot see ip and icmp headers? 

0 Helpful

MHM Cisco World
VIP
VIP

‎03-20-2022 02:42 AM

https://linuxhint.com/decrypt-ssl-tls-wireshark

 

Read the last conclusions.

0 Helpful

Aref Alsouqi
VIP
VIP

‎03-20-2022 04:32 AM

The SSL VPN decryption does not happen right after the packet hits the ASA outside interface, this is why when you take the packet capture on the outside interface it won't show in there. The only exception for this that I'm aware of is applicable to the IPSec traffic where you can use the keyword "include-decrypt" alongside the packet capture command on the outside interface, and that will show you the decrypted traffic processed by the ASA. I don't believe there is any similar option for the SSL VPN traffic, but no harm in trying to add that keyword and see if it makes any difference. With regard to the TLS header, the concept here is exactly the same as when you connect to a secure website, the external headers will still be shown on the Wireshark capture, but the data will not as it is encrypted inside the TLS tunnel. In fact, some firewalls nowadays rely on some TLS negotiation details including certificates to try to make the best guess of the traffic type, or of the visited websites.

Customers Also Viewed These Support Documents