10-22-2013 09:16 AM - edited 03-11-2019 07:54 PM
Hi there,
Thanks for reading!
We've got a Series 800 SOHO with Ezvpn running. It get connected to our internal network through our ASA 5520 just fine. We have clients on the SOHO side which can ping and RDC to servers inside our network.
The SOHO clients are using MS Lync 2013 (instant messenger) which fails. Packet captures reveal that the external Lync clients are receiving an SSL cert from the firewall when they should be receiving from the internal Lync server. Running a capture against internal clients shows that working inside clients receive our GoDaddy cert and the program works.
Any thoughts on this?
Thanks!
Bob
10-22-2013 10:10 AM
Hi Bob ,
If you are getting the ASA certificate , then there is a problem ? could you please paste the ASA config ?
The ASA should never intercept the communication unless it thinks it owns that thing ... please also provide a source and destination addresses .
Moh.
10-22-2013 11:04 AM
Hi Moh,
Thanks for writing.
The behavior is unexpected. The capture shows client-side sip-tls / Client Hello packets getting all the way to their appropriate internal server destination. The returning Server Hello / Certificate packets (from the appropriate IP address to the appropriate IP address) names a specific CAP-RTP-001 certificate that is part of the 5520 configuration.
The client application throws a certificate error, apparently having received a certificate other than that from the intended server.
The senior guys around here would drag their feet about an entire copy / paste of our FW config. Are there relevant sections you'd like to see which I can snippet into this thread?
Thanks again for weighing in!
Bob
10-22-2013 11:18 AM
So seems you have sip proxy on the ASA . that intercepts sips from the clients..
10-22-2013 03:00 PM
Hi Moh,
I have an answer.
This is expected behavior (although it was new to me). We had configured a TLS Proxy so it was handling TLS requests according to our configuration. We have staff who work from home with VOIP phones and need to have the firewall hand out certs to those clients.
We found that we were inspecting SIP in our phone proxy policy map and that was the connection. We modified that map to exclude SIP from inspection and those packets are now getting to their destination and the Lync clients are working.
Thanks again for you willingness!
Bob
10-22-2013 04:16 PM
Thanks for posting the resolution. +5
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: