Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1702
Views
5
Helpful
4
Replies

ASA 5545 SSL VPN portal: server unavailable

Piet Vanbeckbergen
Level 1
Level 1

‎06-08-2018 01:25 AM - edited ‎02-21-2020 07:51 AM

Hello,

 

we have set up a custom clientless SSL VPN portal that redirects to a page on our sharepoint 2013 intranet. On this intranet page, we have several https links that redirect to different internal web applications. This works well for applications that are hosted on WS2012R2, including pass through of login credentials. However, we have also two https links that point to applications that are hosted on WS2016. For these applications, we receive a "server unavailable" error. We have discovered that, once we disable the SSL ciphers that were introduced in WS2016, thus only retaining the ciphers that exist in WS2012R2, the redirect to these applications work fine. In attachment is an overview of the disabled ciphers. Is it a known issue that ASA5545 can not handle the newer ciphers that are introduced in WS2016?

Thanks in advance for sharing any thoughts on this.

Labels:
IIS Crypto 2.0 Schannel.png
Preview file
65 KB
IIS Crypto 2.0 Suites.png
Preview file
85 KB
0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎06-08-2018 05:39 AM

run show ssl cipher on your ASA, I am guessing you might be lacking ECDH, depending on the ASA version.

 

also, turn off SHA, DES and 3DES.

Please remember to rate useful posts, by clicking on the stars below.

Piet Vanbeckbergen
Level 1
Level 1
In response to Dennis Mink

‎06-08-2018 07:39 AM

Result of the command: "show ssl cipher"

Current cipher configuration:
default (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.2 (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
dtlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to Dennis Mink

‎07-13-2018 06:47 AM

so which ciphers and suites have you actually disabled in ws2016 to make it the same as 2012, as these seem to be the problem and  make 2016 work (correct?)

 

also, once you get this to work, turn TLS1 off, get rid of all SHA and 3DES containing suites and all DH (apart from elliptic curve DH, but do that next)

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Piet Vanbeckbergen
Level 1
Level 1
In response to Dennis Mink

‎07-13-2018 07:08 AM

The disabled ciphers are listed in the attached screenshots in the original post.

Best regards,

 

Piet

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top