https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770942#M1039939 <P>Hi Marvin,</P> <P>&nbsp;</P> <P>thanks for your response, and happe new year:)</P> <P>&nbsp;</P> <P>The problem is not to upload a certificate to FTD. I did that at objects management already, but this certificate isn't used by the Firepower Device Manager Webpage. It is showing me a certificate from "CN=ciscoasa" which i cannot find anywhere. Not within FTD and not in the running config.</P> <P>&nbsp;</P> <P>Regards</P> <P>&nbsp;</P> <P>Raffael</P> Tue, 01 Jan 2019 00:39:01 GMT Raffael 2019-01-01T00:39:01Z https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770643#M1039934 <P>Hello all,</P> <P>&nbsp;</P> <P>I am running Firepower Threat Defense 6.2.3.7 on a ASA 5506-X at home and i recently getting these error messages when trying to connect via chrome to the Device Manager (<SPAN>ERR_SSL_VERSION_OR_CIPHER_MISMATCH).</SPAN></P> <P>&nbsp;</P> <P><SPAN>I already checked via show ssl-protocol and show crypto ssl ciphers that the ciphers available are be fine. There should be several overlapping ciphers chrome could use.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Next i connected thorugh a virtual machine running Windows 7 to the device, which also got me the warning but at least i could continue configuring. I then checked the certificate offered by the site, which confused me even a bit more. The page shows me a self-signed certificate from ciscoasa. My device isnt called like this, and i cannot find this certificate in any configuration. I have imported an own certificate for the FTD but cannot find an option to tell the FTD using this certificate instead of that ciscoasa certificate.</SPAN></P> <P>&nbsp;</P> <P><SPAN>So maybe someone can help me here with my two questions:</SPAN></P> <P><SPAN>1. Why are there no ciphers overlapping? Base license is registered via smart licensing but i am not sure if that is enough</SPAN></P> <P><SPAN>2. How can i change that certificate for Firepower Device Manager?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks in advance&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> <P>&nbsp;</P> <P><SPAN>Raffael</SPAN></P> <P>&nbsp;</P> Fri, 21 Feb 2020 16:37:15 GMT https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770643#M1039934 Raffael 2020-02-21T16:37:15Z https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770667#M1039935 <P>I'm not sure why you are getting the cipher mismatch. I would check a packet capture to examine the SSL negotiation in detail.</P> <P>&nbsp;</P> <P>As far as adding the external certificate, you do that in the RA VPN setup wizard as shown below. Select "Create new internal certificate" (a bit misleading) and you will be given the option to upload one:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FDM add certificate for RA VPN.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/26827i05CA3CDD739C55A9/image-size/large?v=v2&amp;px=999" role="button" title="FDM add certificate for RA VPN.PNG" alt="FDM add certificate for RA VPN.PNG" /></span></P> <P>&nbsp;</P> <P>For detailed instructions you can go to:</P> <P>&nbsp;</P> <P>https://&lt;your FDM address&gt;/#/help/t_Uploading_Internal_and_Internal_CA_Certificates.html</P> Mon, 31 Dec 2018 03:20:15 GMT https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770667#M1039935 Marvin Rhoads 2018-12-31T03:20:15Z https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770693#M1039936 I think the problem is in your certificate. Even if ASA/FTD has the right<BR />ciphers enabled, it should be supported by the certificate public key.<BR /><BR />In your chrome://flags/ try to disable TLS1.3 and see if it works and make<BR />sure that tls1.2 is enabled. Did you upgrade your chrome recently because I<BR />heard in new versions they stopped the support for lower TLS by default.<BR /> Mon, 31 Dec 2018 07:51:13 GMT https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770693#M1039936 Mohammed al Baqari 2018-12-31T07:51:13Z https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770729#M1039937 <P>TLS 1.2 is the most commonly used in the Internet and should be supported by any browser.</P> <P>&nbsp;</P> <P>I am using Chrome <SPAN>Version 71.0.3578.98&nbsp;</SPAN>(current latest release) and it negotiated TLS 1.2 fine with FDM on my ASA 5506-X (running FTD 6.2.3.4 and using the factory default self-signed certificate).</P> Mon, 31 Dec 2018 10:32:16 GMT https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770729#M1039937 Marvin Rhoads 2018-12-31T10:32:16Z https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770739#M1039938 Thanks Marvin for confirmation<BR /> Mon, 31 Dec 2018 10:42:13 GMT https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770739#M1039938 Mohammed al Baqari 2018-12-31T10:42:13Z https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770942#M1039939 <P>Hi Marvin,</P> <P>&nbsp;</P> <P>thanks for your response, and happe new year:)</P> <P>&nbsp;</P> <P>The problem is not to upload a certificate to FTD. I did that at objects management already, but this certificate isn't used by the Firepower Device Manager Webpage. It is showing me a certificate from "CN=ciscoasa" which i cannot find anywhere. Not within FTD and not in the running config.</P> <P>&nbsp;</P> <P>Regards</P> <P>&nbsp;</P> <P>Raffael</P> Tue, 01 Jan 2019 00:39:01 GMT https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770942#M1039939 Raffael 2019-01-01T00:39:01Z https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770943#M1039940 <P>Hello, and happy new year to both of you,</P> <P>&nbsp;</P> <P>I tried to disable TLS1.3 with no effect. My chrome version is&nbsp;<SPAN>71.0.3578.98 and FTD is also up to date (maybe that is the problem). Unfortunately i didnt have time to look at that problem right when it occured the first time, so i don't know the exact time and possible causes for it.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I think the certificate might be the problem, ye, but i still don't know how to change the Firepower Device Manger Web Service certificate. Any clues here.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Guess i am going to check wireshark soon.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> <P>&nbsp;</P> <P><SPAN>Raffael</SPAN></P> Tue, 01 Jan 2019 00:42:58 GMT https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770943#M1039940 Raffael 2019-01-01T00:42:58Z https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770944#M1039941 <P>Hello, and happy new year to both of you,</P> <P>&nbsp;</P> <P>I tried to disable TLS1.3 with no effect. My chrome version is&nbsp;<SPAN>71.0.3578.98 and FTD is also up to date (maybe that is the problem). Unfortunately i didnt have time to look at that problem right when it occured the first time, so i don't know the exact time and possible causes for it.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I think the certificate might be the problem, ye, but i still don't know how to change the Firepower Device Manger Web Service certificate. Any clues here.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Guess i am going to check wireshark soon.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> <P>&nbsp;</P> <P><SPAN>Raffael</SPAN></P> Tue, 01 Jan 2019 00:44:07 GMT https://community.cisco.com/t5/network-security/firepower-device-manager-err-ssl-version-or-cipher-mismatch/m-p/3770944#M1039941 Raffael 2019-01-01T00:44:07Z