Showing results for 
Search instead for 
Did you mean: 

Douglas Holmes

Enable FIPS - ASA 9(4)2.11 can't connect ASDM 7.61

Setup an ASA and enabled FIPS mode.  Can no longer connect via ASDM.  Set the DH group to 24, and set the encryption for all to FIPS.  Able to connect after I turn off enable FIPS and can't connect when I turn it on.  Has anyone worked through this issue?  Am I going to far advanced on the ASDM?  I do know a change was made for SSH that necessitates an update to the DH Group.  I was gong to open a TAC case, but thought I was ask here first.  I set the the following encryption:





The ASDM and ASA always agree on dhe-aes128-sha1 but fails when FIPS is on, works when FIPS is off.  Thanks. 

Jesse Peden

I have the same issue.  It's not limited to the versions of ASA and ASDM code you listed, though.  There's an article that says it's because the self-signed certificates that the ASA can generate are only SHA-1 and would need to be at least SHA-2 in order for ASDM to work while FIPS is enabled and states that you can generate a cert from another system to import onto the ASA, that is signed with SHA-2, and that it would then work.  I tried that (for a little while) and couldn't get it working.  The odd thing is that I have multiple pairs of ASAs all running the same versions of code and ASDM, all have FIPS enabled, all have self-signed certs, and only 1 of the pairs has this issue.  I can get to ASDM just fine on the other pairs. I have compared the configs and can't find what's making the difference, so far but, I'm still working on it and won't give up until I find it.

Hey Jesse, I sort of figured it out. 

punchy# show run ssl
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 fips
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl trust-point TRUST
ssl trust-point TRUST Management

Mine are all still the default values, on the working and non-working pairs.  I tried changing the values to "fips" on the non-working unit and was still not able to get into ASDM.  Anything else you changed beside those?

Content for Community-Ad