topic Re: Great Answer Panagioti, it in Network Security

Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

davebornack — Mon, 11 Mar 2019 19:12:54 GMT

Does my device not support enough encryption to get ASDM/SSL/HTTP working?

First time I've ever seen this...:

%ASA-7-609001: Built local-host inside:192.168.1.10
%ASA-7-609001: Built local-host identity:192.168.1.1
%ASA-6-302013: Built inbound TCP connection 13 for inside:192.168.1.10/61194 (192.168.1.10/61194) to identity:192.168.1.1/443 (192.168.1.1/443)
%ASA-6-725001: Starting SSL handshake with client inside:192.168.1.10/61194 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client inside:192.168.1.10/61194 proposes the following 11 cipher(s).
%ASA-7-725011: Cipher[1] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA
%ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : RC4-MD5
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : AES128-SHA
%ASA-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[11] : DES-CBC3-SHA
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-302014: Teardown TCP connection 13 for inside:192.168.1.10/61194 to identity:192.168.1.1/443 duration 0:00:00 bytes 7 TCP Reset by appliance
%ASA-7-609002: Teardown local-host inside:192.168.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host identity:192.168.1.1 duration 0:00:00

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

Panos Kampanakis — Mon, 22 Nov 2010 17:13:40 GMT

Do you have "ssl encryption" command on the ASA that sets ciphers that are not matched with the client proposed ciphers?

Can you check using the ssl command?

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

davebornack — Mon, 22 Nov 2010 17:20:30 GMT

It responds with :

XXX algorithms require a VPN-3DES-AES activation key.

I've tried like.. 8 of the ones it says my client is proposing.

I shouldn't need a special license to get ASDM working out of the box..

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

Panos Kampanakis — Mon, 22 Nov 2010 17:35:42 GMT

Hmm, do you have a 3DES license on your ASA, or DES? "sh ver" should show you that.

If you have DES it will not do the algorithms for SSL encryption etc.

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

davebornack — Mon, 22 Nov 2010 17:41:03 GMT

"This platform has a base license"

So this means that I can't even run ASDM with a base license?

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

praprama — Tue, 23 Nov 2010 01:14:14 GMT

Hi,

It is better you get a 3DES license for your ASA.

Otherwise, one way to get it working would be to change the cipher suites being sent by the client's browser. I am not really sure of how to do that but i am pretty sure google will give you good results.

Let me now how it goes!

Cheers,

Prapanch

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

cadet alain — Tue, 23 Nov 2010 10:11:23 GMT

Hi,

You tried with different browsers and ssl settings?

Regards.

Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

MARK BAKER — Wed, 28 Mar 2012 14:33:59 GMT

I found this post, but didn't see the answer. I did find the answer elsewhere and wanted to update this post in case someone else has this issue. I had to enable a cipher that was compatible with my browser using the below command on the ASA.

ssl encryption aes256-sha1

Hope this helps someone find the answer quicker.

Mark

Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

phuoctrung — Wed, 02 Oct 2013 10:27:59 GMT

I have the same issue. It is helpful for me

Great Answer Panagioti, it

dchrysovergis — Fri, 16 Oct 2015 11:40:16 GMT

Great Answer Panagioti, it worked for me.. the answer was in front of our eyes!

%ASA-6-725001: Starting SSL handshake with client inside:xx.xx.xx.xx/59308 for TLS session.
%ASA-7-725010: Device supports the following 3 cipher(s).
%ASA-7-725011: Cipher[1] : AES256-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA
%ASA-7-725008: SSL client inside:10.10.8.25/59308 proposes the following 2 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DES-CBC3-SHA
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

Thank you for pointing this!

It was helpful, thanks!

f9is — Fri, 11 Mar 2016 16:05:57 GMT

It was helpful, thanks!

I had the same problem which I was fighting with last couple days. I had to format and erase my flash during flash replacement, and ASA lost activation code and all ciphers. After reading your post I realized what is wrong, restored the activation key and applied ciphers to SSL.

Thanks again!

Igor

Re: Great Answer Panagioti, it

Adam Hinchliff — Thu, 10 Jan 2019 22:08:25 GMT

Where is the answer? I dont see any comments from Panagioti

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

gnwanma2012 — Sat, 12 Oct 2019 10:54:47 GMT

Thanks...this was very helpful

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

tproeber — Sun, 08 Nov 2020 02:27:13 GMT

THIS worked for me:

ssl encryption aes256-sha1

Thank you so much!!!!1

Re: Cisco ASA 5505 SSL/HTTPS/ASDM Won't work, Cipher fail

Fahadk — Sun, 17 Sep 2023 09:59:20 GMT

firmware version 9.2 it doesn't support tlsv1.2

firmware version 9.4 on wards it support

QRCS-DC# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2

version 9.4

QRCS-DC# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2