This issue is now resolved!

everettjn08 · ‎06-18-2015

I am setting up an ASA 5506 and I am unable to reach the ASDM via chrome, firefox, or IE. I tried lowering the encryption level and I may have made the problem worse. I am unable to get the ASA to accept any cipher except DES-CBC-SHA and NULL-SHA. I get the following errors no matter the cipher level:

ciscoasa(config)# ssl cipher dtlsv1 custom AES128-SHA
ERROR: Invalid version/level combination: no compatible ciphers found
ERROR: Unable to update ciphers.

Are there any recommendations?

Modified show run:

ciscoasa(config)# show run
: Saved

:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.3(2)2
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif Inside
security-level 100
ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
<--- More --->...

interface Management1/1
management-only
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu Inside 1500
mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck

ssh 192.168.0.0 255.255.0.0 Inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.253
ssl cipher default custom "NULL-SHA"
ssl cipher sslv3 custom "NULL-SHA"
dynamic-access-policy-record DfltAccessPolicy
username admin password encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxx
: end

Kanwaljeet Singh · ‎06-19-2015

Hi,

Take a pcap on client and see where it is failing. You can try putting in all the ciphers in the list and see if that works?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Marvin Rhoads · ‎06-19-2015

Most likely the unit does not have the free 3DES-AES licenses installed. Lack of that will prevent you from using the strong ciphers that most modern browsers require to establish secure connectivity.

Check it as follows:

ASA# sh ver | i 3DES
Encryption-3DES-AES               : Enabled        perpetual

If you don't see it enabled, go to www.cisco.com/go/license and you can get the free license. It will come with installation instructions.

dal · ‎01-03-2017

Fantastic!

After hours of searching and wondering why I couldn't connect to my ASA from neither ASDM or SSH, I found this post.

Thank you!

Edit: ASDM works fine now, but I still cannot connect via SSH2.. any ideas why not?

Thanks again.

Marvin Rhoads · ‎01-03-2017

[@dal@alesund.kommune.no]

Good to hear. Please rate the response if it helped you.

For the ssh2 issue, make sure your ASA has it set and that you haven't specified something like DH group 14. Your ssh configuraiton should include the following:

ssh version 2
ssh key-exchange group dh-group1-sha1

dal · ‎01-05-2017

Thank you for your response.

Unfortunately this tip did not help.

Still not able to connect via ssh

Not sure when it stopped working either. But I know for sure it has worked in the past

Thanks.

Marvin Rhoads · ‎01-05-2017

Could it possibly be client side settings issue? Have you tried an alternative ssh client?

If you have, you might be able to get some information from turning on verbose logging on your client or doing a packet capture while trying to connect.

dal · ‎02-09-2017

This issue is now resolved!

After upgrading to the latest version of ASA and ASDM, I get an error in the log when trying to log in:

%ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

After that it was easy to find a solution on the internet:

https://axelilly.wordpress.com/2010/05/19/cant-ssh-into-asa/

In short:

Type in this line via console cable or from the Tools menu in ASDM:

conf t
crypto key generate rsa modulus 2048
wr mem

SSL mismatch with ASA 5506