11-18-2012 09:59 PM - edited 03-11-2019 05:24 PM
Hi.
I can't connect to ASDM. ASA closes connection becouse browser doesn't support ssl with DES-CBC-SHA
<167>:Nov 16 15:52:41 GST: %ASA-session-7-609001: Built local-host inside:10.1.11.77
<167>:Nov 16 15:52:41 GST: %ASA-session-7-609001: Built local-host identity:10.1.11.10
<166>:Nov 16 15:52:41 GST: %ASA-session-6-302013: Built inbound TCP connection 59 for inside:10.1.11.77/1257 (10.1.11.77/1257) to identity:10.1.11.10/443 (10.1.11.10/443)
<166>:Nov 16 15:52:41 GST: %ASA-ssl-6-725001: Starting SSL handshake with client inside:10.1.11.77/1257 for TLSv1 session.
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725010: Device supports the following 1 cipher(s).
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[1] : DES-CBC-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725008: SSL client inside:10.1.11.77/1257 proposes the following 11 cipher(s).
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[1] : DHE-RSA-AES256-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[2] : DHE-DSS-AES256-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[3] : AES256-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[6] : RC4-MD5
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[7] : RC4-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[8] : AES128-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725011: Cipher[11] : DES-CBC3-SHA
<167>:Nov 16 15:52:41 GST: %ASA-ssl-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
<166>:Nov 16 15:52:41 GST: %ASA-session-6-302014: Teardown TCP connection 59 for inside:10.1.11.77/1257 to identity:10.1.11.10/443 duration 0:00:00 bytes 7 TCP Reset by appliance
<167>:Nov 16 15:52:41 GST: %ASA-session-7-609002: Teardown local-host inside:10.1.11.77 duration 0:00:00
<167>:Nov 16 15:52:41 GST: %ASA-session-7-609002: Teardown local-host identity:10.1.11.10 duration 0:00:00
On https://supportforums.cisco.com/docs/DOC-15016 is written what i must install 3des/aes license. But it's impossible for me because of law.
How can I use asdm without strong ecryption?
11-19-2012 05:41 AM
If you are unable to upgrade your ASA to 3DES/AES license, then you must downgrade your browser (or its settings).
I don't have a weak key ASA to test against, but I believe if you go into the advanced settings of your browser and DESELECT SSL 3.0 (and possibly 2.0 and TLS as well) that your client will then accept the low security SSL settings offered by your ASA.
Here is a listing of typical locations for those settings on browsers:
Change these settings with care and take into account changing them back for other uses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide