Field Notice: FN - 70571 - WSA/ESA - TLS 1.0 and 1.1 Deprecation Affects Reporting to Cisco Threat Grid - Software Upgrade Recommended

Available Languages

Updated:November 10, 2021

Document ID:FN70571

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	16-Jun-20	Initial Release
1.1	25-Nov-20	Updated the Products Affected, Defect Information, Problem Description, Problem Symptom, and Workaround/Solution Sections
1.2	27-Apr-21	Updated the Problem Description Section
1.3	10-Nov-21	Updated the Products Affected, Defect Information, Problem Description, Problem Symptom, and Workaround/Solution Sections

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number
NON-IOS	AsyncOS for WSA	10	10.0.0, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.5.1, 10.5.1_LD, 10.5.2
NON-IOS	AsyncOS for WSA	11	11.0.0, 11.5.1, 11.5.3
NON-IOS	AsyncOS for Content Security Management Appliance (SMA)	10.1	10.1.0
NON-IOS	AsyncOS for Secure Email	12	12.0.0, 12.1.0, 12.5.0
NON-IOS	AsyncOS for Secure Email	13	13.5.1

Defect Information

Defect ID	Headline
CSCvu51905	[SMA] - Limitation: Software Version does not support TLS1.0/1.1
CSCvu51814	[WSA] - Limitation: Software Version does not support TLS1.0/1.1
CSCvu51802	[ESA] - Limitation: Software Version does not support TLS1.0/1.1

Problem Description

As of 2021-06-30, Transport Layer Security (TLS) Versions 1.0 and 1.1 will no longer be supported by the Cisco Threat Grid service. After this date, all Advanced Malware Protection (AMP) enabled devices that submit samples to Cisco Threat Grid for dynamic file analysis will be required to support TLS Version 1.2. This change affects the Secure Email Gateway (ESA), Web Security Appliance (WSA), and Security Management Appliance (SMA) devices that have AMP subscriptions and submit samples to Cisco Threat Grid for analysis.

Background

The Internet Engineering Task Force (IETF) has officially deprecated TLS Versions 1.0 and 1.1 and has advised all users to use TLS Version 1.2 or later. In order to meet the IETF recommendation, Cisco has been transitioning all products to support the TLS Version 1.2 or later protocols, which includes the Cisco Threat Grid service.

Problem Symptom

ESA, WSA, and SMA appliances that run TLS Version 1.1 or earlier will encounter a TLS communication error, and report submissions to the Cisco Threat Grid service will fail.

Workaround/Solution

ESA

If you run:

Version 12.0.x of AsyncOS for ESA, upgrade to AsyncOS for ESA 12.5.3-035 or later.
Version 12.1.x of AsyncOS for ESA, upgrade to AsyncOS for ESA 12.5.3-035 or later.
Version 12.5.2 of AsyncOS for ESA or earlier, upgrade to AsyncOS for ESA 12.5.3-035 or later.
Version 13.0.0 of AsyncOS for ESA and require Common Criteria, upgrade to AsyncOS for ESA 13.0.4-007 or later.
Version 13.0.0 of AsyncOS for ESA and do not require Common Criteria, upgrade to AsyncOS for ESA 13.5.3-010 or later.
Version 13.5.2 of AsyncOS for ESA or earlier, upgrade to AsyncOS for ESA 13.5.3-010 or later.

WSA

If you run:

Version 10.1.x of AsyncOS for WSA on the S170 platform, upgrade to AsyncOS for WSA 10.1.5-034.
Version 10.5.x of AsyncOS for WSA, upgrade to AsyncOS for WSA 10.5.6-024 or later.
Version 11.5 of AsyncOS for WSA, upgrade to AsyncOS for WSA 11.8 or later.
AsyncOS 10.5.2 Common Criteria release, you should upgrade to AsyncOS 11.8 or later Common Criteria release.

SMA

If you run Version 10.x of AsyncOS for SMA, upgrade to AsyncOS for SMA 11.0.1-152 or later.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)