We had a situation come up today; we have users that access a site that uses digital certificates (Fedline) for access, and it stopped worked for all users at multiple branches this morning. It didn't give any kind of error message - the login (user/pass) page for the site was fully accessible. Since we are set up with certificates, we don't have the login credentials. The distant end swore up and down that everything was good on their end. (and it was.)
Turns out, Ironport started dropping/decrypting traffic to that IP address. The fix action was to add the decrypted IP to our 'Nodecrypt' category. This had been functioning correctly for months, but we are concerned because it caused a significant outage, and we didn't make any changes to Ironport, but it definitely started treating the traffic destined for that IP differently. What would cause this kind of behavior? Is there a way to stop it from doing this again?
I had this issue with a bank or two using Entrust, when I added Entrust's intermediate cert to the the WSA, it started decrypting traffic. I'm not sure if its a bug in the WSA where they aren't following the chain, or if the web site should be importing the intermediate cert...
Assuming IE, View the cert using the browser, on the details tab, click the Copy to File button, save it as a Base-64 encoded x.509.
Then in the WSA, to go Security Services/HTTPS Proxy, click on Manage Trusted Root Certificates... near the bottom, and import the new one.
Thanks Ken... but what I am not clear on is why Ironport started treating this traffic differently out of the blue, without any configuration changes. It happened again this morning with a different IP, same site (although I think importing the certificate like you said would have prevented it from happening, I am off to find a user with the cert)
Just really frustrating and we REALLY want to avoid surprises like this in the future. If anyone has any ideas on how to prevent this from happening again I am all ears.
Now, there is a spot for Cisco to do something here... as the already ship with the Entrust 2048 cert in their trusted store, so why intermediate stuff isn't working, I don't know... Maybe someone from Cisco can pipe in here...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :