Well. This is the profile. I only want to decrypt TLSv1.0. Other traffic is supposed to be allowed without being decrypted, or I may have misunderstood how inbound inspection works. When the issue happens, the client try to negotiate TLSv1.2 and something goes wrong. This is captured on the FW, at firewall stage: And this is captured from the clientside: After opening a case, a workaround has been supplied: "Enabling TLSv1.2 on the profile, it works properly". Anyway, that's not the point. Because traffic that can not be decrypted should be allowed as SSL, isn't it? If I don't want to decrypt nor block sessions based on TLSv1.1 or TLSv1.2, why are they being blocked?
... View more