08-12-2015 10:28 AM
There are several HTTPS sites which, when we try to access them, give varying errors (Firefox "Secure Connection Failed", IE "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting..." even though these are turned on, and Chrome "The webpage is not available ERR_CONNECTION_CLOSED").
Within the proxylog on the WSA170 I see these lines:
Warning: HTTPS : - : Unknown algorithm for public key in X509 certificate
When I run an SSL test against the site it says it supports TLS 1.0 - 1.2, but not SSL. I'm wondering why we're not able to connect.
08-12-2015 10:43 AM
There are a couple of things that could be going on:
1. The current WSA versions don't support TLS 1.1 or 1.2. TLS1.1/1.2 support is coming SOON.
2. there's a bug related to how the WSA tries to negotiate this, it will show up in the access logs as 502 errors for the site in question. The fix for this is coming soon.
I ended up creating a custom category, setting it to "Pass-through" in the Decryption Access Policies"
09-30-2015 06:39 AM
Do we have any more indications when "SOON" will be? More and more sites are moving to TLS 1.1 / 1.2 and becoming inaccessible unless we bypass them (which opens us up to potential malware infection if the site becomes compromised.)
I'm honestly at a total loss how Cisco still doesn't support these protocols, which have been in use for YEARS. TLS 1.1 in 2006 and TLS 1.2 in 2008 !!
09-30-2015 07:04 AM
I was in the beta, it exited a few weeks ago...I expect that FCS is imminent but don't have dates.
And yes Product Management knows they dropped the ball big time on this one...
09-30-2015 07:20 AM
Looking forward to the latest update. We are having a lot more issues with this lately.
09-30-2015 08:00 AM
Good Morning
Thanks for reaching out, Support for TLS 1.1 / 1.2 is available with the version 9.0.0-485 build (currently is limited deployment) provisioned based. Please create a TAC case with the serial number of the Appliance needed to have this version provisioned.
Regards,
Zack
10-01-2015 06:44 PM
I currently have a TAC case open for our S680s. Should the engineer be able to provision this version for us? Having several incredibly frustrating issues including this.
10-02-2015 05:56 AM
Good Morning
That is correct, Please let your TAC engineer know and he/she will be able to have it provisioned.
Regards,
Zack
10-02-2015 06:07 AM
Our account manager has mentioned that this update may require a memory upgrade of the appliance (!) -- what are the requirements for it?
10-02-2015 11:18 AM
Their are some memory requirement for S370 (MUST be 8 Gig RAM), Please have TAC engineer do the research for you and address all the concerns / questions you may have.
Thanks
Zack
02-23-2016 04:10 AM
Hi
I'd like to say we got 9.0.0-485 (S380) and our users can't access to https://www.ingdirect.es. In the browser we get ERR_CONNECTION_CLOSED. I downloaded pcap from our firewall and can see WSA sends to the remote server this:
TLSv1.2 Record Alert (Level: Fatal, Description: Unsupported Extension)
After it WSA sends a RST to ingdirect server.
I thought this problem was fixed in 9.0.0-485.
Regards
02-24-2016 04:37 AM
The site https://www.ingdirect.es loads fine for me, running 9.0.1-162.
02-24-2016 04:41 AM
Hi Erik
I read in another thread 9.0.0-485 didn't fix the TLS v1.2 issue. We have to schedule an upgrade to 9.0.1-162, I'm sure the issue will be fixed after upgrading.
Thanks for answering.
01-05-2017 11:57 AM
Good morning,
To me it happens the same for the website https://esta.cbp.dhs.gov/ I generate the error ERR_CONNECTION_CLOSED from the browser, in the capture of logs from the WSA I get error code 502:
1483558564.689 968 10.10.165.35 TCP_MISS / 502 0 TCP_CONNECT 216.81.87.20:443 - DIRECT / esta.cbp.dhs.gov - PASSTHRU_WEBCAT_7-INTERNETVIP-RedWifiRed0-NONE-NONE-NONE-DefaultGroup <IW_gov, 3.9, -, "-", IW_gov, -, "-", "-", "-", "-", "-", "-" "-" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
This happens to the version of WSA 9.1.1-074, but in a WSA with version 8.5.2-027 I do not happen this type of error; Please can you inform me the root cause of this behavior and how can I solve it. Thank you in advance for your cooperation.
04-13-2016 04:23 AM
Problem solved: we switched to Websense (now Forcepoint), which doesn't have this issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide