Cannot access ASDM in new configured ASA 5515-X

rbcisco90 · ‎04-27-2017

I'm configuring a 5515-X ASA Firewall, have downloaded last ASA and ASDM versions (asa971-4-smp-k8.bin and disk0:/asdm-771-150.bin), configured username, interface, authentication but cannot access via HTTPS. The 'debug http 255' command shows nothing, and 'debug ssl 255' shows this:

error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1409C041:SSL routines:ssl3_setup_read_buffer:malloc failure@s3_both.c:915
error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:setup buffers failed@s23_srvr.c:284
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1409C041:SSL routines:ssl3_setup_read_buffer:malloc failure@s3_both.c:915
error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:setup buffers failed@s23_srvr.c:284

I tried to change ciphers, without success. I have another 5515-X with the same configuration, and it's working fine !

This is an extract of the show running configuration:

ASA5515-LAB# sh run
: Saved

ASA Version 9.7(1)4
!
hostname ASA5515-LAB

!
interface GigabitEthernet0/0
nameif untrusted
security-level 0
no ip address
!
interface GigabitEthernet0/1
nameif inside_one
security-level 0
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif mgmt
security-level 90
ip address 10.0.0.25 255.255.255.0
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa971-4-smp-k8.bin
asdm image disk0:/asdm-771-150.bin
no asdm history enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 mgmt
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 mgmt
ssh timeout 5
ssh key-exchange group dh-group1-sha1
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
: end

Also, I can confirm I have a 3DES license:

Encryption-3DES-AES : Enabled perpetual

Any help will be appreciated

Francesco Molino · ‎04-27-2017

Hi

I had the same issue and was facing the following bug:

https://quickview.cloudapps.cisco.com/quickview/bug/CSCuy47809

I've upgraded to latest recommended version 9.6.3

In your case you're in 9.7.1.

Can you downgrade to the latest recommended version and see if you're still having this issue.

Otherwise I would recommend opening a TAC case.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

rbcisco90 · ‎04-28-2017

Thanks for your help.
Unfortunately, that didn't worked. I also tried several ASA/ASDM versions, including the one of the another ASA5515-X working fine. When I configured that some years ago, I had a similar issue, but cannot remember how I resolved it (I think that time was something abount AAA Authentication).

But now, I think the problem is something with the cipher or keys, but I cannot find it.

cvcvdvdv · ‎01-26-2018

This was probably caused by CSCve49754 which has a suggested workaround of not binding the trustpoints to the interfaces directly but assigning the trustpoint globally.for all interfaces.