Solved: Cannot connect to ASA using https

bluemookie · ‎01-07-2011

I'm trying to access my ASA 5505 by https://192.168.1.1 but I can't. I'm using Windows 7. I already have installed ASDM and I can enter in the box by ASDM. I am preparing to reformat my PC and I'm afraid that I won't be able to access my ASA if I do.

The Mozilla show the message:

An error occurred during a connection to 192.168.1.1.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

Please bear in mind that I am a total noob. Any help is greatly appreciated.

Kureli Sankar · ‎01-07-2011

Kyle,

That defect is to log into a CSC module as root. You have an ASA5505 that cannot take a CSC module.

Here is a doc that I had written to troubleshoot management issues with the ASA. The first one listed is the asdm.

Let us run through this list: https://cisco-support.hosted.jivesoftware.com/docs/DOC-13012

-KS

View solution in original post

Kureli Sankar · ‎01-10-2011

Yes, that is correct.

Pls. follow this procedure and get the 3des license. It is free.

You simply have to go to cisco.com/go/license

please click here for available licenses.

Cisco ASA 3DES/AES License

Can you try that and let me know if ssh works for you with 3DES?

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html#wp1042023

-KS

View solution in original post

Kureli Sankar · ‎01-10-2011

You would have to provide the serial number of the unit and your CCO id and other information. Once done it will say that you will be e-mailed the activation-key within 1 hour.

Did you get that message?

If not pls. do the procedure again.

Once you get the activation key via e-mail pls. add it to the device

conf t

activation-key

wr mem

exit

-KS

View solution in original post

Kureli Sankar · ‎01-10-2011

You should be able to add the activation-key from the asdm - if you know where it is

Just checked it is under

configuration >> device management >> licnesing >> activation key

-KS

View solution in original post

Kureli Sankar · ‎01-10-2011

So, let us run through and finish the rest of the checks on that link that I had sent earlier.

-KS

View solution in original post

Kureli Sankar · ‎01-10-2011

SSL       79f47bd8  192.168.1.1:443             192.168.1.21:60887      ESTAB
SSL       79fd5938  192.168.1.1:443             192.168.1.21:60892      ESTAB
SSL       7a304a68  192.168.1.1:443             192.168.1.21:60962      ESTAB

It shows that you have 3 asdm connections already established from the IP address 192.168.1.21.

Do you? Can you pls. close those windows if you have them open?

You need to add this line into the config

conf t
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
exit

and try again.

-KS

View solution in original post

Kureli Sankar · ‎01-10-2011

GUI - you are connected via GUI? That is ASDM.

It works?

You can have upto 5 asdm connections. 3 are taken - may be you can try from another computer and see if it works.

-KS

View solution in original post

Kureli Sankar · ‎01-10-2011

You can issue "clear conn all 192.168.1.21" from the CLI. That should remove those connections.

Issue the "sh asp table socket" command again to make sure.

Very glad to hear you are now able to connect. Pls. conder making the thread as resolved.

-KS

View solution in original post

Scott Payne · ‎01-07-2011

Did you assign your computer a static ip address?

Try setting your computer with 192.168.1.2

subnet 255.255.255.0

default gateway 192.168.1.1

Have you already changed the private ip of the firewall? If so use that instead of the 192 address.

bluemookie · ‎01-07-2011

I found this on Cisco's site, but I have no earthly idea how to remove temporary file from root. HELP!

Q. How can I resolve this error message on the ASA: `Secure Connection Failed. An error occurred during a connection to x.x.x.x. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap...`

A. This issue is due to Cisco Bug ID CSCtc37947 ( registered customers only) . In order to resolve this issue, remove the temporary files created for auto update from the root account on CSC, and then restart the services.

Kureli Sankar · ‎01-07-2011

Kyle,

That defect is to log into a CSC module as root. You have an ASA5505 that cannot take a CSC module.

Here is a doc that I had written to troubleshoot management issues with the ASA. The first one listed is the asdm.

Let us run through this list: https://cisco-support.hosted.jivesoftware.com/docs/DOC-13012

-KS

bluemookie · ‎01-10-2011

This is the results of runing "sh ver" in the ASDM

Result of the command: "sh ver"

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

AIM-ASA-FW up 54 days 19 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0    : address is 001b.0c2c.0d1c, irq 11
1: Ext: Ethernet0/0         : address is 001b.0c2c.0d14, irq 255
2: Ext: Ethernet0/1         : address is 001b.0c2c.0d15, irq 255
3: Ext: Ethernet0/2         : address is 001b.0c2c.0d16, irq 255
4: Ext: Ethernet0/3         : address is 001b.0c2c.0d17, irq 255
5: Ext: Ethernet0/4         : address is 001b.0c2c.0d18, irq 255
6: Ext: Ethernet0/5         : address is 001b.0c2c.0d19, irq 255
7: Ext: Ethernet0/6         : address is 001b.0c2c.0d1a, irq 255
8: Ext: Ethernet0/7         : address is 001b.0c2c.0d1b, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Serial Number: JMX1108K2X3
Running Activation Key: 0x3e2d3568 0x68c54746 0x448071d8 0x8f201000 0x0033c784
Configuration register is 0x1
Configuration last modified by aimfwadm at 08:54:13.532 EST Thu Jan 6 2011

How do I enable VPN-3DES-AES? Does it matter that I'm not running any VPN's?

Kureli Sankar · ‎01-10-2011

Yes, that is correct.

Pls. follow this procedure and get the 3des license. It is free.

You simply have to go to cisco.com/go/license

please click here for available licenses.

Cisco ASA 3DES/AES License

Can you try that and let me know if ssh works for you with 3DES?

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html#wp1042023

-KS

bluemookie · ‎01-10-2011

I filled out the form on Cisco's site, and the last web page just says " Message: You have been registered for download of Encrypted Software." Is there something I need to do? Do I download something?

Kureli Sankar · ‎01-10-2011

You would have to provide the serial number of the unit and your CCO id and other information. Once done it will say that you will be e-mailed the activation-key within 1 hour.

Did you get that message?

If not pls. do the procedure again.

Once you get the activation key via e-mail pls. add it to the device

conf t

activation-key

wr mem

exit

-KS

bluemookie · ‎01-10-2011

Can I do all of this from the CLI menu of the ASDM? Or do I have to use TTY or something? Can I

issue a Conf t from the single line interface?

I have not received the email yet, but it hasn't been an hour.

Kureli Sankar · ‎01-10-2011

You should be able to add the activation-key from the asdm - if you know where it is

Just checked it is under

configuration >> device management >> licnesing >> activation key

-KS

bluemookie · ‎01-10-2011

Okay, I received the activation key, and now it shows that 3DES is activated and enabled, but I'm still getting the same error. I cannot connect to my ASA using HTTPS.

Kureli Sankar · ‎01-10-2011

So, let us run through and finish the rest of the checks on that link that I had sent earlier.

-KS

bluemookie · ‎01-10-2011

Result of the command: "sh ver"

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

AIM-ASA-FW up 54 days 21 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0    : address is 001b.0c2c.0d1c, irq 11
1: Ext: Ethernet0/0         : address is 001b.0c2c.0d14, irq 255
2: Ext: Ethernet0/1         : address is 001b.0c2c.0d15, irq 255
3: Ext: Ethernet0/2         : address is 001b.0c2c.0d16, irq 255
4: Ext: Ethernet0/3         : address is 001b.0c2c.0d17, irq 255
5: Ext: Ethernet0/4         : address is 001b.0c2c.0d18, irq 255
6: Ext: Ethernet0/5         : address is 001b.0c2c.0d19, irq 255
7: Ext: Ethernet0/6         : address is 001b.0c2c.0d1a, irq 255
8: Ext: Ethernet0/7         : address is 001b.0c2c.0d1b, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Serial Number: JMX1108K2X3
Running Activation Key: 0x8024fc53 0xb0c5f46b 0x78236500 0xa5a4b898 0x4f040da2
Configuration register is 0x1
Configuration last modified by aimfwadm at 08:54:13.532 EST Thu Jan 6 2011

Result of the command: "sh run http"

http server enable
http 192.168.1.0 255.255.255.0 inside

Result of the command: "sh asp table socket"

Protocol Socket    Local Address               Foreign Address         State
SSL       0003aa9f 192.168.1.1:443             0.0.0.0:*               LISTEN
TCP       00071c4f 192.168.1.1:23              0.0.0.0:*               LISTEN
TCP       000a9d7f 192.168.1.1:22              0.0.0.0:*               LISTEN
TCP       000f7a2f 69.130.7.114:22             0.0.0.0:*               LISTEN
SSL       79f47bd8 192.168.1.1:443             192.168.1.21:60887      ESTAB
SSL       79fd5938 192.168.1.1:443             192.168.1.21:60892      ESTAB
SSL       7a304a68 192.168.1.1:443             192.168.1.21:60962      ESTAB

Result of the command: "sh run webvpn"

webvpn

Result of the command: "sh run all ssl"

ssl server-version any
ssl client-version any
ssl encryption des-sha1

Kureli Sankar · ‎01-10-2011

SSL       79f47bd8  192.168.1.1:443             192.168.1.21:60887      ESTAB
SSL       79fd5938  192.168.1.1:443             192.168.1.21:60892      ESTAB
SSL       7a304a68  192.168.1.1:443             192.168.1.21:60962      ESTAB

It shows that you have 3 asdm connections already established from the IP address 192.168.1.21.

Do you? Can you pls. close those windows if you have them open?

You need to add this line into the config

conf t
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
exit

and try again.

-KS

bluemookie · ‎01-10-2011

No, I have nothing connected. How do you enter those commands? Through the "Command Line Interface" menu item from the GUI? I entered the first one. logged in as my user. entered the next one. I have nothing to exit from. Should I be using something else? How do I close those established sessions? That's probably my problem right there!

Cannot connect to ASA using https

Q. How can I resolve this error message on the ASA: Secure Connection Failed. An error occurred during a connection to x.x.x.x. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap...

Q. How can I resolve this error message on the ASA: `Secure Connection Failed. An error occurred during a connection to x.x.x.x. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap...`