topic Thanks Marvin, that Qualys in Network Security

ASDM AES-256 Not Supported?

Phillip Simonds — Fri, 21 Feb 2020 13:38:44 GMT

Last night we went to upgrade our firewalls so that only TLS1.x and AES-256/SHA-1 can be used for VPN connections into the box. After doing so, ASDM stopped working, AnyConnect is still working without issue.

Java reported a SSL handshake error. I went to re-enable encryption mechanisms one by one and determined that AES-128/SHA1 is the highest encryption algorithm I can connect via ASDM on. I tried updating ASDM to the latest version and 7.5(2) won't connect on anything higher than AES-128 either. We are using a self signed certificate on the inside interface, so I enabled ASDM on the outside where we have a valid third party cert and tried connecting via https://<url>/admin to make sure it wasn't a certificate issue, and no dice.

It's a little odd to me that ASDM wouldn't support AES-256. I'm wondering if anyone has any ideas as to why I can't connect on AES-256 and/or a workaround. It would also be O.K. to use AES-128 for ASDM connections internally and AES-256 for VPN connections; but I don't see any way to enable the SSL encryption methods on a per-application use, it seems I can only configure them globally and am thus stuck with allowing VPN connections to use AES-128 if they so choose (I made sure connections will negotiate to AES-256 before trying AES-128, but I'd like to completely disable AES-128).

Specs below, thanks in advance for your assistance.

Specs

ASA Version: 9.2(2)4

ASDM Version: 7.4(2), I also tried 7.5(2)

I think it's an ASDM

Marvin Rhoads — Tue, 15 Dec 2015 22:56:25 GMT

I think it's an ASDM limitation. I see the same thing on my ASA running the latest ASA software 9.5(2) with ASDM 7.5(2).

Qualys SSL check is pretty happy with that though - I get a A- on a test against my ASA.

Thanks Marvin, that Qualys

Phillip Simonds — Wed, 16 Dec 2015 17:50:02 GMT

Thanks Marvin, that Qualys SSL check is gold. Do you have any idea when AES-256 might be in the road-map for ASDM?

I was thinking about this and

Marvin Rhoads — Wed, 16 Dec 2015 23:15:51 GMT

I was thinking about this and found an article confirming my suspicion.

ASDM is just a Java applet. As such, it uses the security afforded it by your local Java installation's libraries.

I found confirmation in this TAC note: http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/110282-asdm-tshoot.html#prblm13

I tested the instructions and (...wait for it...) - it works!

I went to Oracle's download page for my Java version 8 here: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

I then unzipped those files and put them in the proper subdirectory according to the readme. It was a bit tricky to figure exactly which of the several Java directories ASDM was using - I did that by right clicking the process on task manager and going to the file location.

(Note: when you upgrade Oracle, it may write a new directory - so you will have to re-do this step periodically.)

Given that, I put the two new files in, changed my SSL custom cipher to exclude AES-128 and then relaunched ASDM. I started Wireshark with a capture filter for my ASA address and watched the TLS 1.2 handshake negotiate AES-256 encryption.

Along the lines of "it didn't happen if there are no pictures", extra points for the screenshot of the actual packet decode (open in new tab to zoom):

Thanks Mark! This worked

Phillip Simonds — Thu, 31 Dec 2015 04:13:56 GMT

Thanks Marvin! This worked great.

Marvin, you are a life saver!

vizualpro — Fri, 27 May 2016 04:09:24 GMT

Marvin, you are a life saver! While everyone else is adamant that installing the certificates into the Java settings was all that's needed, I could NOT get it to work, until now.

Thank you sir

Thank you!!!

JESSICA Walsh — Tue, 26 Jul 2016 19:39:41 GMT

Thank you!!!

The jre-6u45-windows 64bit

7layer — Tue, 20 Dec 2016 23:09:14 GMT

The jre-6u45-windows 64bit java client works fine with many ASDM versions.
I had this trouble before and this was the solution.

http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html#jre-6u45-oth-JPR

Thanks so much. As of 2017

Fri, 19 May 2017 21:27:42 GMT

Thanks so much. As of 2017 the JAVA encryption files are located here:

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Also, here is the SSL command on the ASA to use strong ciphers. These AES256 ciphers are supported by AnyConnect 4.x, and you will score an A- with 100% strong ciphers from ssllabs.com with this setting:

ssl cipher tlsv1.2 custom "DHE-RSA-AES256-SHA256:AES256-SHA256"

While you can work in ASDM

tahscolony — Tue, 27 Jun 2017 19:18:00 GMT

While you can work in ASDM once launched using the above cipher suite, I have not been able to launch ASDM with them enabled. If I set to medium I can launch it, then switch back to the above and control the ASA through ASDM, but that can be a PITA.

ASDM does not work at all when ssl tlsv1.2 is set to high.

Yes it does. I'm connected

Tue, 27 Jun 2017 20:21:22 GMT

Yes it does. I'm connected to ASDM 7.8(1) now, using

ssl server-version tlsv1.2

ssl cipher tlsv1.2 custom "DHE-RSA-AES256-SHA256:AES256-SHA256"

which is even more restrictive than ssl cipher tlsv1.2 high.

Read Marvin's response. You need to update JAVA with the high encryption files dowloaded from oracle. You can't connect to ASDM unless you update JAVA. It's not an ASDM issue, it's a java issue.