ASA 5545 SSL VPN portal: server unavailable
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2018 01:25 AM - edited 02-21-2020 07:51 AM
Hello,
we have set up a custom clientless SSL VPN portal that redirects to a page on our sharepoint 2013 intranet. On this intranet page, we have several https links that redirect to different internal web applications. This works well for applications that are hosted on WS2012R2, including pass through of login credentials. However, we have also two https links that point to applications that are hosted on WS2016. For these applications, we receive a "server unavailable" error. We have discovered that, once we disable the SSL ciphers that were introduced in WS2016, thus only retaining the ciphers that exist in WS2012R2, the redirect to these applications work fine. In attachment is an overview of the disabled ciphers. Is it a known issue that ASA5545 can not handle the newer ciphers that are introduced in WS2016?
Thanks in advance for sharing any thoughts on this.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2018 05:39 AM
run show ssl cipher on your ASA, I am guessing you might be lacking ECDH, depending on the ASA version.
also, turn off SHA, DES and 3DES.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2018 07:39 AM
Result of the command: "show ssl cipher"
Current cipher configuration:
default (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2018 06:47 AM
so which ciphers and suites have you actually disabled in ws2016 to make it the same as 2012, as these seem to be the problem and make 2016 work (correct?)
also, once you get this to work, turn TLS1 off, get rid of all SHA and 3DES containing suites and all DH (apart from elliptic curve DH, but do that next)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2018 07:08 AM
The disabled ciphers are listed in the attached screenshots in the original post.
Best regards,
Piet
