Field Notice: FN - 72181 - ESA/WSA - TLS 1.0 and 1.1 Deprecation Affects Connectivity with AMP Cloud - Software Upgrade Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
2.0	22-Feb-22	Updated the Problem Description and Problem Symptom Sections
1.1	10-Nov-21	Updated the Products Affected, Defect Information, Problem Symptom, and Workaround/Solution Sections
1.0	21-Jun-21	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	AsyncOS for WSA	10	10.1.0, 10.1.1, 10.1.2, 10.1.3
NON-IOS	AsyncOS for WSA	11	11.7.0, 11.7.1, 11.7.2, 11.8.0, 11.8.0(refresh), 11.8.0-453, 11.8.1
NON-IOS	AsyncOS for WSA	12	12.0.1, 12.0.1 GD, 12.5.1, 12.5.1 GD
NON-IOS	AsyncOS for Secure Email	12	12.0.0, 12.1.0, 12.5.0
NON-IOS	AsyncOS for Secure Email	13	13.5.1

Defect Information

Defect ID	Headline
CSCvv70262	[WSA] Support TLS1.2 For AMP SSL communication & TLS1.0 and 1.1 removal for AMP
CSCvv69035	[ESA] Support TLS1.2 For AMP SSL communication & TLS1.0 and 1.1 removal for AMP

Problem Description

As of 2022-02-28, Transport Layer Security (TLS) Versions 1.0 and 1.1 will no longer be supported by the Cisco Advanced Malware Protection (AMP) cloud. After this date, all AMP-enabled devices that query the AMP cloud for file reputation will be required to support TLS Version 1.2.

Background

The Internet Engineering Task Force (IETF) has officially deprecated TLS Versions 1.0 and 1.1 and has advised all users to use TLS Version 1.2 or later. In order to meet the IETF recommendation, Cisco has been transitioning all products to support the TLS Version 1.2 or later protocols, which includes the Cisco AMP cloud.

Problem Symptom

Secure Email Gateway (ESA) and Web Security Appliances (WSAs) that run TLS Version 1.1 or earlier will encounter a TLS communication error and requests to the Cisco AMP cloud for file reputation will fail.

Workaround/Solution

WSA

In order to resolve this issue, upgrade the WSA/Virtual WSA to one of these Async OS builds:

• Version 10.1.x on the S170 platform, upgrade to AsyncOS for WSA 10.1.5-034 or later.
• Version 11.7.x earlier than 11.7.3-025, upgrade to AsyncOS for WSA 11.7.3-025 or later.
• Version 11.8.x earlier than 11.8.2-009, upgrade to AsyncOS for WSA 11.8.2-009 or later.
• Version 12.0.x earlier than 12.0.2-004, upgrade to AsyncOS for WSA 12.0.2-004 or later.
• Version 12.5.x earlier than 12.5.1-035, upgrade to AsyncOS for WSA 12.5.1-035 or later.

ESA

In order to resolve this issue, upgrade the ESA/Virtual ESA to one of these Async OS builds:

• Version 12.0.x of AsyncOS for ESA, upgrade to AsyncOS for ESA 12.5.3-035 or later.
• Version 12.1.x of AsyncOS for ESA, upgrade to AsyncOS for ESA 12.5.3-035 or later.
• Version 12.5.2 of AsyncOS for ESA or earlier, upgrade to AsyncOS for ESA 12.5.3-035 or later.
• Version 13.0.0 of AsyncOS for ESA and require Common Criteria, upgrade to AsyncOS for ESA 13.0.4-007 or later.
• Version 13.0.0 of AsyncOS for ESA and do not require Common Criteria, upgrade to AsyncOS for ESA 13.5.3-010 or later.
• Version 13.5.2 of AsyncOS for ESA or earlier, upgrade to AsyncOS for ESA 13.5.3-010 or later.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.