Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2652
Views
0
Helpful
4
Replies

Another ASA license issue

jameshardy2612
Level 1
Level 1

‎05-21-2013 07:00 AM - edited ‎03-11-2019 06:46 PM

Hopefully this will be an easy one for the experts. I'm new to ASA and bought a used one from ebay but I cannot connect to the ASDM - I get an error in all the browsers.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

Having browsed the support forums and google - it seems I need the 3DES license. I have obtained an activation key from cisco and applied it to my ASA 5505 however I get a warning about the device is licensed for a higher software level. the license on the ASA is Security plus. When I apply the activation key from Cisco most of the features are disabled. Any help appreciated

ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 mins 0 secs

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is 442b.0390.f085, irq 11
1: Ext: Ethernet0/0         : address is 442b.0390.f07d, irq 255
2: Ext: Ethernet0/1         : address is 442b.0390.f07e, irq 255
3: Ext: Ethernet0/2         : address is 442b.0390.f07f, irq 255
4: Ext: Ethernet0/3         : address is 442b.0390.f080, irq 255
5: Ext: Ethernet0/4         : address is 442b.0390.f081, irq 255
6: Ext: Ethernet0/5         : address is 442b.0390.f082, irq 255
7: Ext: Ethernet0/6         : address is 442b.0390.f083, irq 255
8: Ext: Ethernet0/7         : address is 442b.0390.f084, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 20             DMZ Unrestricted
Dual ISPs                         : Enabled        perpetual
VLAN Trunk Ports                  : 8              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Disabled       perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : 25             perpetual
Other VPN Peers                   : 25             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 24             perpetual
Total UC Proxy Sessions           : 24             perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.


ciscoasa# show flash
--#--  --length--  -----date/time------  path
  145  25159680    Apr 13 2013 21:41:48  asa842-k8.bin
  146  1868412     Mar 22 2013 09:04:16  securedesktop-asa-3.1.1.29-k9.pkg
    3  2048        Mar 22 2013 09:08:38  log
    6  2048        Mar 22 2012 17:21:52  crypto_archive
  148  2049        Mar 23 2013 02:47:58  8_2_5_0_startup_cfg.sav
  149  12105313    Mar 22 2012 17:22:14  csd_3.5.841-k9.pkg
  150  2048        Mar 22 2012 17:22:18  sdesktop
  162  1462        Mar 22 2012 17:22:18  sdesktop/data.xml
  151  2857568     Mar 22 2012 17:22:18  anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
  152  3203909     Mar 22 2012 17:22:20  anyconnect-win-2.4.1012-k9.pkg
  153  4832344     Mar 22 2012 17:22:22  anyconnect-macosx-i386-2.4.1012-k9.pkg
  154  5209423     Mar 22 2012 17:22:24  anyconnect-linux-2.4.1012-k9.pkg
  155  398305      Mar 22 2013 09:04:36  sslclient-win-1.1.0.154.pkg
   14  2048        Mar 22 2013 09:17:28  coredumpinfo
   15  59          Mar 22 2013 09:17:28  coredumpinfo/coredump.cfg
  158  17232256    Mar 23 2013 11:46:44  asdm-645-206.bin
  126  0           Mar 23 2013 12:00:26  nat_ident_migrate
  159  2211        Apr 13 2013 21:48:50  8_0_2_0_startup_cfg.sav

Labels:
0 Helpful
4 Replies 4

James Leinweber
Level 4
Level 4

‎05-21-2013 08:11 AM

Do show run all | include ssl.   If you only see des-md5 or whatever the wimpy default Cisco went down to, configure some more ciphers that your modern browsers will accept by something like:

configure terminal

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

end

-- Jim Leinweber, WI state Lab of Hygiene

0 Helpful

jameshardy2612
Level 1
Level 1
In response to James Leinweber

‎05-21-2013 09:33 AM

Hello James, I tried what you suggested

ciscoasa(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

The 3DES/AES algorithms require a VPN-3DES-AES activation key.

ciscoasa(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1         

The 3DES/AES algorithms require a VPN-3DES-AES activation key.

ciscoasa(config)# ssl encryption rc4-sha1 aes128-sha1           

The 3DES/AES algorithms require a VPN-3DES-AES activation key.

ciscoasa(config)# ssl encryption rc4-sha1           

The 3DES/AES algorithms require a VPN-3DES-AES activation key.

ciscoasa(config)# ssl encryption null-sha1

ciscoasa(config)# sh ssl  

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: null-sha1

Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1

No SSL trust-points configured

Certificate authentication is not enabled

Still no joy - will continue to try and work out wth is happening while cisco licensing ponder.. :-)

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to jameshardy2612

‎05-21-2013 04:29 PM

Hello James,

It's definetly a licence issue as you already mentioned

Get the serial number of your box and go to :

cisco.com/go/licensing

and requested

Then place it into your box and provide the output you get

Afterwards provide the sh version and finally sh run ssl

Regards

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Patrick Moubarak
Level 4
Level 4

‎05-21-2013 08:14 PM

for some reason, some ASAs used to come without 3DES/AES license in the early days.

this is free and can be generated on the licensing portal www.cisco.com/go/license

Click on Get New > Crypto, IPS and Other Licenses; under Security Products > Cisco ASA 3DES/AES License
then enter your ASA serial number and copy the activation-key to the ASA...

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card