Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2302
Views
0
Helpful
3
Replies

"At least one encryption algorithm must be selected" error when trying to bind SSL certifcate to ASA5545 interface

Go to solution
mitchen
Level 2
Level 2

‎11-09-2015 05:06 AM - edited ‎03-11-2019 11:51 PM

Hi,

the identity certificate on our ASA5545 (running 8.6 software) is due to expire soon.  I understand the process to renew means obtaining a new certificate and installing it on the ASA.

So, I have obtained a new certificate from the CA (Entrust) and installed on the ASA.

However, when I try to bind the new certificate to my outside interface using ASDM I get the error:

"At least one encryption algorithm must be selected"

For the currently binded certificate, the list of available algorithms I have listed on ASDM are:

AES256-SHA1

AES128-SHA1

3DES-SHA1

RC4-SHA1

RC4-MD5

DES-SHA1

DHE-AES128-SHA1

DHE-AES256-SHA1

NULL-SHA1

And there is nothing on the list of Active Algorithms.

However, "show ssl" on the CLI gives the following:

show ssl
Accept connections using TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
OUTSIDE interface:  Entrust_trustpoint_duetoexpire

So, I'm confused?


What should I be selecting for the available algorithms in order to bind the new certificate to the interface?  Will there be any impact to existing connections?  How do I revert to the previous certificate (still has a week left!) if there are any issues? (Can I simply choose to bind the old certificate to the interface again and all will be back as it was while we examine what went wrong?)

Any help would be appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎11-09-2015 05:40 AM

Hi 

You have to configure atleast one encryption algo to allow the SSL handshake.
The show ssl output shows that you have the following algo's configured
rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Perhaps you can use the same alogs if you do not wish to have any impact and enable them via the command
"ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1"

The encryption algo varies from one endpoint to another i.e. older windows devices used RC4 algo and DES as well. If you wish to dig deeper , then you can check the logs and see the encryption algo being negotiated with the clients and just set them accordingly.

If you wish to revert to previous certificate , you can run the command
ssl trust-point Entrust_trustpoint_duetoexpire OUTSIDE
and this will associate the trustpoint mapped with older certificate to OUTSIDE interface.


NOTE: If you do not have older windows version, then you can disable RC4 and DES algos as they are not much secure.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎11-09-2015 05:40 AM

Hi 

You have to configure atleast one encryption algo to allow the SSL handshake.
The show ssl output shows that you have the following algo's configured
rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Perhaps you can use the same alogs if you do not wish to have any impact and enable them via the command
"ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1"

The encryption algo varies from one endpoint to another i.e. older windows devices used RC4 algo and DES as well. If you wish to dig deeper , then you can check the logs and see the encryption algo being negotiated with the clients and just set them accordingly.

If you wish to revert to previous certificate , you can run the command
ssl trust-point Entrust_trustpoint_duetoexpire OUTSIDE
and this will associate the trustpoint mapped with older certificate to OUTSIDE interface.


NOTE: If you do not have older windows version, then you can disable RC4 and DES algos as they are not much secure.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
mitchen
Level 2
Level 2
In response to Dinesh Moudgil

‎11-09-2015 09:17 AM

Hi Dinesh,

that's great, thanks.  That seems to have worked!

As a side topic - how would I actually go about checking the encryption algorithms being negotiated with the clients to determine whether RC4 and DES can indeed be disabled?

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to mitchen

‎11-09-2015 11:28 AM

Hello mitchen,

Particularly, this message shows the algorithm which is negotiated:
%ASA-7-725012 Device chooses cipher: cipher_name for SSL session with clientinterface_name:IP_address/port

You can run "debug webvpn 255" or "debug webvpn anyconnect 255 " to check realtime log messages or setup a logging class to just get the specific message as follows:
logging enable
logging timestamp
logging list Anyconnect level informational class svc
logging list Anyconnect level informational class ssl
logging list Anyconnect message 725012

logging trap Anyconnect
logging host inside <syslog server IP>
logging buffer-size 1048576
logging buffered debugging

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card