01-03-2023 11:52 AM
Dear All, I am having a problem, because I have configured all steps to connect ASDM via web browser, but I cannot access ASDM for some reason, The error message and my configuration are below.
Can you help please ?
Try:
ciscoasa# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl certificate-authentication fca-timeout 2
ciscoasa# sh run aaa
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
ciscoasa# sh run htt
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
ciscoasa# sh asdm image
Device Manager image file, disk0:/asdm-7101.bin
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 24 perpetual
Total UC Proxy Sessions : 24 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
Kind Regards
Solved! Go to Solution.
01-03-2023 01:01 PM
@Hamid Amir you need to determine if you can enable TLS 1.0/1.1 on the web browser you are using. As I said TLS 1.0/1.1 is no longer supported in the majority of web browsers, since 2020. https://support.mozilla.org/en-US/questions/1290040
01-03-2023 12:08 PM
ssl cipher <tls version> all
check this command,
01-03-2023 12:53 PM
Hi
ciscoasa# show ssl
Accept connections using SSLv2 or greater and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or greater
Enabled cipher order: 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
SSL trust-points:
inside interface: ASDM_Launcher_Access_TrustPoint_0
outside interface: ASDM_Launcher_Access_TrustPoint_0
Certificate authentication is not enabled
01-03-2023 01:04 PM
theASA accept SSLv2 or greater, so can you change the browser to use SSLv2 or SSLv3 ?
01-03-2023 01:12 PM
SSLv2 and v3 have long been depreciated in web browsers, TLS 1.2 is the minimum.
01-03-2023 01:38 PM
Hi,
Thank You for your reply.
SSL 3.0 is enabled, but I can not see SSL 2.0 in the list.
Kind Regards
01-03-2023 12:10 PM - edited 01-03-2023 12:11 PM
@Hamid Amir most if not all web browers no longer support TLS 1.0/1.1, your ASA 5505 software version probably doesn't support TLS 1.2 - hence the error your receive. I believe TLS 1.2 is supported from ASA vesion 9.3, the latest version supported by the 5505 is ASA 9.2. So you'd either have to force the web browser to support TLS 1.0/1.1 or replace the hardware.
The ASA 5505 is so old, I recommend replacing the hardware, the FPR1010 would be a suitable replacement - https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html
01-03-2023 12:45 PM
Hi Rob,
Thank you for your reply.
I can access asdm application after I deleted TLSv1.1 from java security file and added deployment.security.TLSv1=true to deployment.properties, but I can not accesses it via Web Browser .
01-03-2023 01:01 PM
@Hamid Amir you need to determine if you can enable TLS 1.0/1.1 on the web browser you are using. As I said TLS 1.0/1.1 is no longer supported in the majority of web browsers, since 2020. https://support.mozilla.org/en-US/questions/1290040
01-03-2023 01:13 PM
Hi Rob,
I Just replaced my broking asa 5505 and the browser was working.
Best Regards
01-04-2023 04:39 AM
Hi
It has been resolved by make legacy sites work in Microsoft Edge in Default Browser setting.
Thank you very much for your help.
Kind Regards
11-10-2023 01:12 PM
Hi Hamid,
Could you tel me how to make the edge accept old sities? I have the same problem...
11-11-2023 12:35 AM
Hi Nelson,
Go to settings in Edge, click on the Default browser in the left-hand bar and then choose to allow and add the ip address in Make legacy sites work in Microsoft Edge.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide