Guest

Preview Tool

Cisco Bug: CSCvv08244 - Firepower module may block trusted HTTPS connections matching 'Do not decrypt' SSL decryption rule

Last Modified

Oct 13, 2020

Products (1)

  • Cisco Firepower Management Center Virtual Appliance

Known Affected Releases

6.2.2.5 6.2.3.15 6.3.0 6.4.0 6.5.0 6.5.0.4 6.6.0 6.7.0 6.8.0

Description (partial)

Symptom:
Firepower module (also known as the SFR module) running on the Adaptive Security Appliance (ASA) may block trusted HTTPS connections even if the matching rule for these connections is the default rule with the 'Do not decrypt' action. The amount and the frequency of blocked connections may vary depending on the configuration and the utilization of Snort instances in the module.

The following syslog messages may be generated by the ASA:

Jul 21 2020 00:52:28: %ASA-6-302013: Built outbound TCP connection 558 for outside:203.0.113.1/443 (203.0.113.1/443) to inside:192.0.2.1/50398 (198.51.100.1/50398)
Jul 21 2020 00:52:28: %ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from inside:192.0.2.1/50398 to outside:203.0.113.1/443 locally
Jul 21 2020 00:52:28: %ASA-4-434002: SFR requested to drop TCP packet from inside:192.0.2.1/50398 to outside:203.0.113.1/443
Jul 21 2020 00:52:28: %ASA-4-434002: SFR requested to drop TCP packet from outside:203.0.113.1/443 to inside:198.51.100.1/50398
Jul 21 2020 00:52:28: %ASA-4-434002: SFR requested to drop TCP packet from outside:203.0.113.1/443 to inside:198.51.100.1/50398
Jul 21 2020 00:52:28: %ASA-4-434002: SFR requested to drop TCP packet from outside:203.0.113.1/443 to inside:198.51.100.1/50398
Jul 21 2020 00:52:28: %ASA-4-434002: SFR requested to drop TCP packet from outside:203.0.113.1/443 to inside:198.51.100.1/50398
Jul 21 2020 00:52:28: %ASA-4-434002: SFR requested to drop TCP packet from outside:203.0.113.1/443 to inside:198.51.100.1/50398

In the above example, IP 192.0.2.1 is the real (pre-NAT) client IP address, IP 198.51.100.1 is the mapped (post-NAT) client IP address and IP 203.0.113.1 is the server IP address. As can be seen from the syslog messages, the Firepower module initially requests the ASA to bypass the packets of the trusted flow from further redirection. Then, however, the module requests the packets to be dropped.

Conditions:
As of now, the defect was found on the Firepower module and the Firepower Management Center (FMC) running version 6.2.3.15.

All of the following conditions must match:

- Access control policy (ACP) with SSL decryption policy.
- SSL decryption policy with custom decryption rules and with the default rule that has the 'Do not decrypt' action.
- Firepower module handling HTTPS connections matching an access control rule with the Trust action in the ACP.
- Affected HTTPS connections match a custom or default SSL Decryption policy rule with the 'Do not decrypt' action.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.