05-21-2013 07:00 AM - edited 03-11-2019 06:46 PM
Hopefully this will be an easy one for the experts. I'm new to ASA and bought a used one from ebay but I cannot connect to the ASDM - I get an error in all the browsers.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Having browsed the support forums and google - it seems I need the 3DES license. I have obtained an activation key from cisco and applied it to my ASA 5505 however I get a warning about the device is licensed for a higher software level. the license on the ASA is Security plus. When I apply the activation key from Cisco most of the features are disabled. Any help appreciated
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 mins 0 secs
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 442b.0390.f085, irq 11
1: Ext: Ethernet0/0 : address is 442b.0390.f07d, irq 255
2: Ext: Ethernet0/1 : address is 442b.0390.f07e, irq 255
3: Ext: Ethernet0/2 : address is 442b.0390.f07f, irq 255
4: Ext: Ethernet0/3 : address is 442b.0390.f080, irq 255
5: Ext: Ethernet0/4 : address is 442b.0390.f081, irq 255
6: Ext: Ethernet0/5 : address is 442b.0390.f082, irq 255
7: Ext: Ethernet0/6 : address is 442b.0390.f083, irq 255
8: Ext: Ethernet0/7 : address is 442b.0390.f084, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 24 perpetual
Total UC Proxy Sessions : 24 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
ciscoasa# show flash
--#-- --length-- -----date/time------ path
145 25159680 Apr 13 2013 21:41:48 asa842-k8.bin
146 1868412 Mar 22 2013 09:04:16 securedesktop-asa-3.1.1.29-k9.pkg
3 2048 Mar 22 2013 09:08:38 log
6 2048 Mar 22 2012 17:21:52 crypto_archive
148 2049 Mar 23 2013 02:47:58 8_2_5_0_startup_cfg.sav
149 12105313 Mar 22 2012 17:22:14 csd_3.5.841-k9.pkg
150 2048 Mar 22 2012 17:22:18 sdesktop
162 1462 Mar 22 2012 17:22:18 sdesktop/data.xml
151 2857568 Mar 22 2012 17:22:18 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
152 3203909 Mar 22 2012 17:22:20 anyconnect-win-2.4.1012-k9.pkg
153 4832344 Mar 22 2012 17:22:22 anyconnect-macosx-i386-2.4.1012-k9.pkg
154 5209423 Mar 22 2012 17:22:24 anyconnect-linux-2.4.1012-k9.pkg
155 398305 Mar 22 2013 09:04:36 sslclient-win-1.1.0.154.pkg
14 2048 Mar 22 2013 09:17:28 coredumpinfo
15 59 Mar 22 2013 09:17:28 coredumpinfo/coredump.cfg
158 17232256 Mar 23 2013 11:46:44 asdm-645-206.bin
126 0 Mar 23 2013 12:00:26 nat_ident_migrate
159 2211 Apr 13 2013 21:48:50 8_0_2_0_startup_cfg.sav
05-21-2013 08:11 AM
Do show run all | include ssl. If you only see des-md5 or whatever the wimpy default Cisco went down to, configure some more ciphers that your modern browsers will accept by something like:
configure terminal
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
end
-- Jim Leinweber, WI state Lab of Hygiene
05-21-2013 09:33 AM
Hello James, I tried what you suggested
ciscoasa(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
ciscoasa(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
ciscoasa(config)# ssl encryption rc4-sha1 aes128-sha1
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
ciscoasa(config)# ssl encryption rc4-sha1
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
ciscoasa(config)# ssl encryption null-sha1
ciscoasa(config)# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: null-sha1
Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1
No SSL trust-points configured
Certificate authentication is not enabled
Still no joy - will continue to try and work out wth is happening while cisco licensing ponder.. :-)
05-21-2013 04:29 PM
Hello James,
It's definetly a licence issue as you already mentioned
Get the serial number of your box and go to :
cisco.com/go/licensing
and requested
Then place it into your box and provide the output you get
Afterwards provide the sh version and finally sh run ssl
Regards
Julio Carvajal
05-21-2013 08:14 PM
for some reason, some ASAs used to come without 3DES/AES license in the early days.
this is free and can be generated on the licensing portal www.cisco.com/go/license
Click on Get New > Crypto, IPS and Other Licenses; under Security Products > Cisco ASA 3DES/AES License
then enter your ASA serial number and copy the activation-key to the ASA...
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide