01-07-2011 09:54 AM - edited 03-11-2019 12:31 PM
I'm trying to access my ASA 5505 by https://192.168.1.1 but I can't. I'm using Windows 7. I already have installed ASDM and I can enter in the box by ASDM. I am preparing to reformat my PC and I'm afraid that I won't be able to access my ASA if I do.
The Mozilla show the message:
An error occurred during a connection to 192.168.1.1.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Please bear in mind that I am a total noob. Any help is greatly appreciated.
Solved! Go to Solution.
01-07-2011 03:13 PM
Kyle,
That defect is to log into a CSC module as root. You have an ASA5505 that cannot take a CSC module.
Here is a doc that I had written to troubleshoot management issues with the ASA. The first one listed is the asdm.
Let us run through this list: https://cisco-support.hosted.jivesoftware.com/docs/DOC-13012
-KS
01-10-2011 08:39 AM
Yes, that is correct.
Pls. follow this procedure and get the 3des license. It is free.
You simply have to go to cisco.com/go/license
please click here for available licenses.
Can you try that and let me know if ssh works for you with 3DES?
-KS
01-10-2011 09:05 AM
You would have to provide the serial number of the unit and your CCO id and other information. Once done it will say that you will be e-mailed the activation-key within 1 hour.
Did you get that message?
If not pls. do the procedure again.
Once you get the activation key via e-mail pls. add it to the device
conf t
activation-key
wr mem
exit
-KS
01-10-2011 09:48 AM
You should be able to add the activation-key from the asdm - if you know where it is
Just checked it is under
configuration >> device management >> licnesing >> activation key
-KS
01-10-2011 10:32 AM
So, let us run through and finish the rest of the checks on that link that I had sent earlier.
-KS
01-10-2011 11:15 AM
SSL 79f47bd8 192.168.1.1:443 192.168.1.21:60887 ESTAB
SSL 79fd5938 192.168.1.1:443 192.168.1.21:60892 ESTAB
SSL 7a304a68 192.168.1.1:443 192.168.1.21:60962 ESTAB
It shows that you have 3 asdm connections already established from the IP address 192.168.1.21.
Do you? Can you pls. close those windows if you have them open?
You need to add this line into the config
conf t
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
exit
and try again.
-KS
01-10-2011 11:24 AM
GUI - you are connected via GUI? That is ASDM.
It works?
You can have upto 5 asdm connections. 3 are taken - may be you can try from another computer and see if it works.
-KS
01-10-2011 11:55 AM
You can issue "clear conn all 192.168.1.21" from the CLI. That should remove those connections.
Issue the "sh asp table socket" command again to make sure.
Very glad to hear you are now able to connect. Pls. conder making the thread as resolved.
-KS
01-07-2011 10:13 AM
Did you assign your computer a static ip address?
Try setting your computer with 192.168.1.2
subnet 255.255.255.0
default gateway 192.168.1.1
Have you already changed the private ip of the firewall? If so use that instead of the 192 address.
01-07-2011 10:20 AM
I found this on Cisco's site, but I have no earthly idea how to remove temporary file from root. HELP!
A. This issue is due to Cisco Bug ID CSCtc37947 ( registered customers only) . In order to resolve this issue, remove the temporary files created for auto update from the root account on CSC, and then restart the services.
01-07-2011 03:13 PM
Kyle,
That defect is to log into a CSC module as root. You have an ASA5505 that cannot take a CSC module.
Here is a doc that I had written to troubleshoot management issues with the ASA. The first one listed is the asdm.
Let us run through this list: https://cisco-support.hosted.jivesoftware.com/docs/DOC-13012
-KS
01-10-2011 08:37 AM
This is the results of runing "sh ver" in the ASDM
Result of the command: "sh ver"
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
AIM-ASA-FW up 54 days 19 hours
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001b.0c2c.0d1c, irq 11
1: Ext: Ethernet0/0 : address is 001b.0c2c.0d14, irq 255
2: Ext: Ethernet0/1 : address is 001b.0c2c.0d15, irq 255
3: Ext: Ethernet0/2 : address is 001b.0c2c.0d16, irq 255
4: Ext: Ethernet0/3 : address is 001b.0c2c.0d17, irq 255
5: Ext: Ethernet0/4 : address is 001b.0c2c.0d18, irq 255
6: Ext: Ethernet0/5 : address is 001b.0c2c.0d19, irq 255
7: Ext: Ethernet0/6 : address is 001b.0c2c.0d1a, irq 255
8: Ext: Ethernet0/7 : address is 001b.0c2c.0d1b, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Disabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1108K2X3
Running Activation Key: 0x3e2d3568 0x68c54746 0x448071d8 0x8f201000 0x0033c784
Configuration register is 0x1
Configuration last modified by aimfwadm at 08:54:13.532 EST Thu Jan 6 2011
How do I enable VPN-3DES-AES? Does it matter that I'm not running any VPN's?
01-10-2011 08:39 AM
Yes, that is correct.
Pls. follow this procedure and get the 3des license. It is free.
You simply have to go to cisco.com/go/license
please click here for available licenses.
Can you try that and let me know if ssh works for you with 3DES?
-KS
01-10-2011 08:56 AM
I filled out the form on Cisco's site, and the last web page just says " Message: You have been registered for download of Encrypted Software." Is there something I need to do? Do I download something?
01-10-2011 09:05 AM
You would have to provide the serial number of the unit and your CCO id and other information. Once done it will say that you will be e-mailed the activation-key within 1 hour.
Did you get that message?
If not pls. do the procedure again.
Once you get the activation key via e-mail pls. add it to the device
conf t
activation-key
wr mem
exit
-KS
01-10-2011 09:09 AM
Can I do all of this from the CLI menu of the ASDM? Or do I have to use TTY or something? Can I
issue a Conf t from the single line interface?
I have not received the email yet, but it hasn't been an hour.
01-10-2011 09:48 AM
You should be able to add the activation-key from the asdm - if you know where it is
Just checked it is under
configuration >> device management >> licnesing >> activation key
-KS
01-10-2011 10:29 AM
Okay, I received the activation key, and now it shows that 3DES is activated and enabled, but I'm still getting the same error. I cannot connect to my ASA using HTTPS.
01-10-2011 10:32 AM
So, let us run through and finish the rest of the checks on that link that I had sent earlier.
-KS
01-10-2011 10:37 AM
Result of the command: "sh ver"
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
AIM-ASA-FW up 54 days 21 hours
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001b.0c2c.0d1c, irq 11
1: Ext: Ethernet0/0 : address is 001b.0c2c.0d14, irq 255
2: Ext: Ethernet0/1 : address is 001b.0c2c.0d15, irq 255
3: Ext: Ethernet0/2 : address is 001b.0c2c.0d16, irq 255
4: Ext: Ethernet0/3 : address is 001b.0c2c.0d17, irq 255
5: Ext: Ethernet0/4 : address is 001b.0c2c.0d18, irq 255
6: Ext: Ethernet0/5 : address is 001b.0c2c.0d19, irq 255
7: Ext: Ethernet0/6 : address is 001b.0c2c.0d1a, irq 255
8: Ext: Ethernet0/7 : address is 001b.0c2c.0d1b, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1108K2X3
Running Activation Key: 0x8024fc53 0xb0c5f46b 0x78236500 0xa5a4b898 0x4f040da2
Configuration register is 0x1
Configuration last modified by aimfwadm at 08:54:13.532 EST Thu Jan 6 2011
Result of the command: "sh run http"
http server enable
http 192.168.1.0 255.255.255.0 inside
Result of the command: "sh asp table socket"
Protocol Socket Local Address Foreign Address State
SSL 0003aa9f 192.168.1.1:443 0.0.0.0:* LISTEN
TCP 00071c4f 192.168.1.1:23 0.0.0.0:* LISTEN
TCP 000a9d7f 192.168.1.1:22 0.0.0.0:* LISTEN
TCP 000f7a2f 69.130.7.114:22 0.0.0.0:* LISTEN
SSL 79f47bd8 192.168.1.1:443 192.168.1.21:60887 ESTAB
SSL 79fd5938 192.168.1.1:443 192.168.1.21:60892 ESTAB
SSL 7a304a68 192.168.1.1:443 192.168.1.21:60962 ESTAB
Result of the command: "sh run webvpn"
webvpn
Result of the command: "sh run all ssl"
ssl server-version any
ssl client-version any
ssl encryption des-sha1
01-10-2011 11:15 AM
SSL 79f47bd8 192.168.1.1:443 192.168.1.21:60887 ESTAB
SSL 79fd5938 192.168.1.1:443 192.168.1.21:60892 ESTAB
SSL 7a304a68 192.168.1.1:443 192.168.1.21:60962 ESTAB
It shows that you have 3 asdm connections already established from the IP address 192.168.1.21.
Do you? Can you pls. close those windows if you have them open?
You need to add this line into the config
conf t
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
exit
and try again.
-KS
01-10-2011 11:22 AM
No, I have nothing connected. How do you enter those commands? Through the "Command Line Interface" menu item from the GUI? I entered the first one. logged in as my user. entered the next one. I have nothing to exit from. Should I be using something else? How do I close those established sessions? That's probably my problem right there!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide