Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized

Jon Are Endrerud · ‎04-24-2024

Hello

We have a lot of clients getting the following error when contacting diffrent sites: ERR_SSL_PROTOCOL_ERROR, we have read that SonicWall and Palo Alto also have these problemes. Solution is to turn off "TLS 1.3 Hybridized Kyber Support" in chromium web browser, and/or I have tried to disable all SSL and "Early application detection and URL categorization" for 1.3 in FirePower.

We are using fw: 7.2.5, have created a TAC case and are waiting for answer.

Anybody else getting this ?

Regards

J.

Please rate as helpful, if that would be the case. Thanx

MHM Cisco World · ‎04-24-2024

Do you use any ssl encrypt policy?

MHM

Jon Are Endrerud · ‎04-24-2024

No

Please rate as helpful, if that would be the case. Thanx

MHM Cisco World · ‎04-24-2024

In FMC

Policies > access control - access control

There is

Ssl policy

Can you confirm it not list any policy or not

MHM

Jon Are Endrerud · ‎04-24-2024

Im telling you there is no ssl policy, im trying to verify if this only are a browser problem or if there are fixes in 7.2.6.

Other firewall vendors are facing problems.

Please rate as helpful, if that would be the case. Thanx

jasitalymil · ‎04-24-2024

Hello,
I have same issue and I don't have ssl policy (FMC and FTD HA 7.2.5-208)

thanks
FF

MHM Cisco World · ‎04-24-2024

https://bst.cisco.com/bugsearch/bug/CSCwf00417?rfs=qvlogin

Check this bug and it workaround

MHM

Jon Are Endrerud · ‎04-24-2024

This is not it, versions dont match, not error either. The problem arose 16 april approx when browser functionality was changes. Upgrade or not to 7.2.6 is the question.

Please rate as helpful, if that would be the case. Thanx

Jon Are Endrerud · ‎04-24-2024

https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/

This is sonicwall post

Please rate as helpful, if that would be the case. Thanx

MHM Cisco World · ‎04-24-2024

The traffic is https and hence ftd can not inspect inside the packet (without ssl policy).

I shate with you bug and one of workaround is use prefilter' or you can use ACP match applications https action is trust.

MHM

SFrahm · ‎04-24-2024

We are seeing the same thing on 7.2.5.1
Prefilter rules do fix it, but since it is a lot of websites not working it is really not a way to go. We have also created a TAC case on the issue. Looking around different forums many are seeing this issue, not just on firepower.
Hope to get an update soon as this is a major issue for customers.

patoberli · ‎04-24-2024

Same problem seems to happen if a WSA (Secure Web Appliance) is in the path. No workaround there yet, besides disabling Kyber Support in the client browsers.

Jon Are Endrerud · ‎04-25-2024

After going through diffrent blogs and sites of other verdors, I see this has been a discussion going on for months. Seeing discussions on fortinet site in nov last year. Chromium developers are blaming firewall/security vendors for the problem. I guess we are stuck in the middle. Problems started with versions Chrome 124.0.6367.61 and Edge Version 124.0.2478.51.

Please rate as helpful, if that would be the case. Thanx

MHM Cisco World · ‎04-25-2024

I dont have time these day, if you can wait me to next weekend and I will check again

thanks for waiting

MHM

swilke318 · ‎04-25-2024

Same issue on FMC and FTD HA 7.2.6. What a fun time figuring that one out.

FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized Kybe