Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
3
Replies

Cisco Firepower Threat Defense Virtual - SSL handshake error

Go to solution
Paulo Thame
Level 1
Level 1

‎08-22-2023 05:18 PM

We move to the FTDv today, but we got a problem with a bank application that use a .pfx certificate to authenticate.

FW logs looks good, without blocks, but the application can't complete, I receive the error

"Erro: com.sun.xml.internal.ws.wsdl.parser.InaccessibleWSDLException: 2 counts of InaccessibleWSDLException.

javax.net.ssl.SSLProtocolException: The size of the handshake message (5571587) exceeds the maximum allowed size (32768)
javax.net.ssl.SSLProtocolException: The size of the handshake message (5571587) exceeds the maximum allowed size (32768)"

PauloThame_0-1692749296982.png

PauloThame_0-1692749784331.png

 

When i do the same using the other FW I came from I don't receive any error.

Can anyone help with this issue ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Paulo Thame
Level 1
Level 1

‎08-25-2023 08:32 AM

The solution was remove the "TLS Server Identity Discovery", inside Polices, after that the comunication complete without errors

PauloThame_0-1692976772937.png

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-23-2023 12:34 AM

Is the Certs are same and you only introuduced FTD in the path right ?

as per the rule you mentioned :

Do Not Decrypt

If you elect to bypass decryption for certain types of traffic, no processing is done on the traffic. The encrypted traffic proceeds to the access control policy, where it is allowed or dropped based on the access control rule it matches.

Not sure why it say application risk medium ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Paulo Thame
Level 1
Level 1
In response to balaji.bandi

‎08-23-2023 07:32 AM

Thats right @balaji.bandi , I just introduced the FTD.

This application is only to test if the communication between my APP and the bank APP are ok, simulating one full execution.

On wireshark I can see a problem when start TLS comunication, after request certificate, it receive a malformed packet

I tryed:

1 - a policy to "Trust" the connection with the bank URL.

2 - a prefilter

PauloThame_0-1692791764775.png

Now I need to rollback, tomorrow will try once again.

0 Helpful

Go to solution
Paulo Thame
Level 1
Level 1

‎08-25-2023 08:32 AM

The solution was remove the "TLS Server Identity Discovery", inside Polices, after that the comunication complete without errors

PauloThame_0-1692976772937.png

 

0 Helpful
Customers Also Viewed These Support Documents