Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
0
Helpful
3
Replies

Cannot access ASDM in new configured ASA 5515-X

rbcisco90
Level 1
Level 1

‎04-27-2017 01:54 PM - edited ‎03-12-2019 02:17 AM

I'm configuring a 5515-X ASA Firewall, have downloaded last ASA and ASDM versions (asa971-4-smp-k8.bin and disk0:/asdm-771-150.bin), configured username, interface, authentication but cannot access via HTTPS. The 'debug http 255' command shows nothing, and 'debug ssl 255' shows this:

error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1409C041:SSL routines:ssl3_setup_read_buffer:malloc failure@s3_both.c:915
error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:setup buffers failed@s23_srvr.c:284
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1409C041:SSL routines:ssl3_setup_read_buffer:malloc failure@s3_both.c:915
error:14076FA2:SSL routines:SSL23_GET_CLIENT_HELLO:setup buffers failed@s23_srvr.c:284

I tried to change ciphers, without success. I have another 5515-X with the same configuration, and it's working fine !

This is an extract of the show running configuration:

ASA5515-LAB# sh run
: Saved


ASA Version 9.7(1)4
!
hostname ASA5515-LAB

!
interface GigabitEthernet0/0
 nameif untrusted
 security-level 0
 no ip address
!
interface GigabitEthernet0/1
 nameif inside_one
 security-level 0
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif mgmt
 security-level 90
 ip address 10.0.0.25 255.255.255.0
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa971-4-smp-k8.bin
asdm image disk0:/asdm-771-150.bin
no asdm history enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 mgmt
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 mgmt
ssh timeout 5
ssh key-exchange group dh-group1-sha1
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
: end

Also, I can confirm I have a 3DES license:

Encryption-3DES-AES               : Enabled        perpetual

Any help will be appreciated

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎04-27-2017 04:05 PM

Hi 

I had the same issue and was facing the following bug: 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCuy47809

I've upgraded to latest recommended version 9.6.3 

In your case you're in 9.7.1. 

Can you downgrade to the latest recommended version and see if you're still having this issue. 

Otherwise I would recommend opening a TAC case. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

rbcisco90
Level 1
Level 1
In response to Francesco Molino

‎04-28-2017 09:11 AM

Thanks for your help.
Unfortunately, that didn't worked. I also tried several ASA/ASDM versions, including the one of the another ASA5515-X working fine. When I configured that some years ago, I had a similar issue, but cannot remember how I resolved it (I think that time was something abount AAA Authentication).

But now, I think the problem is something with the cipher or keys, but I cannot find it.

0 Helpful

cvcvdvdv
Level 1
Level 1
In response to rbcisco90

‎01-26-2018 12:04 AM

This was probably caused by CSCve49754 which has a suggested workaround of not binding the trustpoints to the interfaces directly but assigning the trustpoint globally.for all interfaces.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card