Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Icloud NOT work with WSA Ironport

 

 

I have WSA S170 Version: 7.7.0-725 in WCCP with ASA 9.1.3. everythig is ok, but seem that Icloud is not working.

The AVC fully recognizes the application and decrypt the traffic ,but the client receive error.

I Think that this application NOT support mad-in-middle decryption, well I tried to bypass encryption with custom category but without success.

This is log of WSA:

402303528.099 588 192.168.10.54 TCP_MISS_SSL/200 0 TCP_CONNECT 17.172.116.61:443 - DIRECT/17.172.116.61 - DECRYPT_AVC_7-POLICY_POWER_GOLD_secure-POWER_GOLD_IDENTITY-DefaultGroup-NONE-NONE-DefaultGroup <IW_osb,4.9,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_osb,-,"-","-","iCloud","File Sharing","Encrypted","-",0.00,0,Local,"-","-"> -
1402303528.285 602 192.168.10.54 TCP_MISS_SSL/200 0 TCP_CONNECT 17.167.137.37:443 - DIRECT/17.167.137.37 - DECRYPT_AVC_7-POLICY_POWER_GOLD_secure-POWER_GOLD_IDENTITY-DefaultGroup-NONE-NONE-DefaultGroup <IW_osb,4.9,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_osb,-,"-","-","iCloud","File Sharing","Encrypted","-",0.00,0,Local,"-","-"> -
 

 

in attach error of application:

 

 Has Anybody something to suggest about to fix or workaround.

 

Best regards.

 

 

5 REPLIES
New Member

I have the same version of

I have the same version of AsyncOS on an S170 and the same problem with Microsoft Support, which uses logmein-enterprise.com and a slew of their IP addresses in the 64.74.103.0 /24 network. I've tried adding this network to the encryption bypass group but it doesn't make a difference.

New Member

Hi, the problem is that if

Hi,

 

the problem is that if use " decryption bypass" the WSA is not able to recognize the application. 

what  are you suggest as workaround?

Cisco Employee

Fcarzaniga - You can try

Fcarzaniga - You can try emailing the WSA's certificate to the iPad and install the certficate?

 

ashaw216 - There is a bug on this.  You cannot bypass based on IP address.  Try bypassing based on the common name of the certificate from those IP addresses.  Example:  If the CN of the certificate coming from 64.74.103.100 is support.microsoft.com, add that into the custom URL category instead of the IP.

New Member

hi vakwan,very thanks for

hi vakwan,

very thanks for your  suppport.
For the certificate, I will try to import the certificato on Iphone and ipad to do test.

But for Bypass with Certificate, can you send me a example or screenshot, because I don't know this kind of configuration with "custom category with Certificate"

thanks you

F.

New Member

hi bakwan, very thanks for

hi bakwan, very thanks for your support. For the certificate, I will try to import the certificato on Iphone and ipad to do test. But for Bypass with Certificate, can you send me a example or screenshot about it?, Because I don't know this kind of configuration with "custom category with Certificate" thanks you F.

383
Views
0
Helpful
5
Replies
CreatePlease to create content