Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1288
Views
5
Helpful
4
Replies

ASA 5545 SSL VPN portal: server unavailable

Piet Vanbeckbergen
Level 1
Level 1

‎06-08-2018 01:25 AM - edited ‎02-21-2020 07:51 AM

Hello,

 

we have set up a custom clientless SSL VPN portal that redirects to a page on our sharepoint 2013 intranet. On this intranet page, we have several https links that redirect to different internal web applications. This works well for applications that are hosted on WS2012R2, including pass through of login credentials. However, we have also two https links that point to applications that are hosted on WS2016. For these applications, we receive a "server unavailable" error. We have discovered that, once we disable the SSL ciphers that were introduced in WS2016, thus only retaining the ciphers that exist in WS2012R2, the redirect to these applications work fine. In attachment is an overview of the disabled ciphers. Is it a known issue that ASA5545 can not handle the newer ciphers that are introduced in WS2016?

Thanks in advance for sharing any thoughts on this.

Labels:
Preview file
65 KB
Preview file
85 KB
0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎06-08-2018 05:39 AM

run show ssl cipher on your ASA, I am guessing you might be lacking ECDH, depending on the ASA version.

 

also, turn off SHA, DES and 3DES.

Please remember to rate useful posts, by clicking on the stars below.

Piet Vanbeckbergen
Level 1
Level 1
In response to Dennis Mink

‎06-08-2018 07:39 AM

Result of the command: "show ssl cipher"

Current cipher configuration:
default (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.2 (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
dtlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to Dennis Mink

‎07-13-2018 06:47 AM

so which ciphers and suites have you actually disabled in ws2016 to make it the same as 2012, as these seem to be the problem and  make 2016 work (correct?)

 

also, once you get this to work, turn TLS1 off, get rid of all SHA and 3DES containing suites and all DH (apart from elliptic curve DH, but do that next)

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Piet Vanbeckbergen
Level 1
Level 1
In response to Dennis Mink

‎07-13-2018 07:08 AM

The disabled ciphers are listed in the attached screenshots in the original post.

Best regards,

 

Piet

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card