Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2768
Views
0
Helpful
4
Replies

No longer able to connect to ASDM on ASA 5505 - ERR_SSL_VERSION_OR_CIP

Go to solution
Jesserony
Level 1
Level 1

‎06-13-2023 06:23 AM

I used to be able to launch ASDM on a particular 5505 but now i cannot. Tried from a PC that has never had ASDM installed, and when i https to the site it says:

"This site can’t provide a secure connection

194.33.13.168 uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Hide details
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite."
 
 
I have SSH access to the ASA. Can someone get me pointed in the right direction?
 
sho run all ssl
ssl server-version any
ssl client-version any
ssl encryption aes256-sha1
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint0 inside
 
 
 
sho ver
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.4(5)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
London-ASA up 55 days 2 hours
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
 0: Int: Internal-Data0/0    : address is 64f6.9d8e.853a, irq 11
 1: Ext: Ethernet0/0         : address is 64f6.9d8e.8532, irq 255
 2: Ext: Ethernet0/1         : address is 64f6.9d8e.8533, irq 255
 3: Ext: Ethernet0/2         : address is 64f6.9d8e.8534, irq 255
 4: Ext: Ethernet0/3         : address is 64f6.9d8e.8535, irq 255
 5: Ext: Ethernet0/4         : address is 64f6.9d8e.8536, irq 255
 6: Ext: Ethernet0/5         : address is 64f6.9d8e.8537, irq 255
 7: Ext: Ethernet0/6         : address is 64f6.9d8e.8538, irq 255
 8: Ext: Ethernet0/7         : address is 64f6.9d8e.8539, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 20             DMZ Unrestricted
Dual ISPs                      : Enabled        perpetual
VLAN Trunk Ports               : 8              perpetual
Inside Hosts                   : Unlimited      perpetual
Failover                       : Active/Standby perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 25             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual
This platform has an ASA 5505 Security Plus license.
Serial Number: xxx
Running Permanent Activation Key: xxx
Configuration register is 0x1
Configuration last modified by enable_15 at 10:52:15.453 GMT/BDT Thu Jun 8 2023
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-26-2023 09:35 AM

ASDM uses SSL/TLS, not ssh. So focus on that.

As the AI response suggested, your device manager 6.4(5) is very old. It will not present a set of SSL/TLS ciphers that a default modern installation of Java will support.

If you do not have access to a newer ASDM to download and use, then you would need to modify your client's Java library to accept the older insecure SSL ciphers that the old ASDM version supports. There's a thread response I wrote on that several years ago.

https://community.cisco.com/t5/network-security/can-t-log-into-the-asdm-anymore/td-p/3022633

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Cisco_Virtual_Engineer
Level 3
Level 3

‎06-22-2023 02:49 AM

It seems that you are using ASA Software Version 8.3(1) and Device Manager Version 6.4(5). The issue might be related to the SSL protocol and cipher suite mismatch between the client and the server. You can try to update the ASA and ASDM software to the latest recommended version to resolve compatibility issues with modern web browsers.

Before you proceed, make sure to back up your current configuration. You can do this by running the command "show run" and saving the output to a text file.

To upgrade the ASA software, follow these steps:

1. Download the latest recommended ASA and ASDM software images from the Cisco website.
2. Upload the new ASA and ASDM images to the ASA using TFTP or SCP. The command for TFTP would be:
copy tftp://(TFTP-Server-IP)/asa-image-name disk0:/asa-image-name
copy tftp://(TFTP-Server-IP)/asdm-image-name disk0:/asdm-image-name
3. Update the boot image reference in the configuration:
conf t
boot system disk0:/asa-image-name
asdm image disk0:/asdm-image-name
exit
4. Save the configuration and reload the ASA:
write memory
reload

After the ASA is reloaded, try to access the ASDM again. If the issue persists, check your SSL settings and make sure they match the requirements of the web browser you are using.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful

Go to solution
Divya Jain
Cisco Employee
Cisco Employee

‎06-26-2023 09:25 AM

Hello,
We will need show tech output to get more details.

 

you can check these things 

1. Verify your license status. if its not registered, you can try re registering ( https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100-gsg/asa-appliance.html#task_gw4_tp5_rhb )
 

 

2.

 

The firewall ASA at newer version images started to default their SSH server side configuration to use key-exhange group 'diffie-hellman-group14-sha256'. In previous versions, the SSH server on ASA defaults to 'dh-group14-sha1' and this is still configurable in your newer version of ASA.

 

 This will make PuTTY or SecureCRT to work. Only different different is that group14 sha256 in diffie-hellman provides stronger negotiation. Putty, SecureCRT clients can be customized to use 'diffie-hellman-group14-sha256' as well, but that is more of a client related configuration. In sum, you can either make Putty, secureCRT clients to use dh-group14-sha256 or set the SSH server on ASA to use dh-group14-sha1. 

 

 Here are steps to change the SSH server on ASA from dh-group14-sha256 to group-14-sha1. 

 

To see the ASA ssh server config issue below command on CLI. 

 

show run ssh 

 

As an example

 

ssh stricthostkeycheck 

ssh timeout 5 

ssh version 2 

ssh key-exchange group dh-group14-sha256

 

 

Here is a list of other possible confiration on ssh key-exchange group

 

 (config)# ssh key-ex group ? 

configure mode commands/options: 

 

dh-group1-sha1        Diffie-Hellman group 2 

dh-group14-sha1      Diffie-Hellman group-14-sha1 

dh-group14-sha256  Diffie-Hellman group-14-sha256 

 

(config)# ssh key-ex group dh-group14-sha1 

(config)# write memory


if you still cant find error, maybe reach out to TAC and they will be able to check show tech and find error.

 

 

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

 

 

Regards

Divya Jain

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-26-2023 09:35 AM

ASDM uses SSL/TLS, not ssh. So focus on that.

As the AI response suggested, your device manager 6.4(5) is very old. It will not present a set of SSL/TLS ciphers that a default modern installation of Java will support.

If you do not have access to a newer ASDM to download and use, then you would need to modify your client's Java library to accept the older insecure SSL ciphers that the old ASDM version supports. There's a thread response I wrote on that several years ago.

https://community.cisco.com/t5/network-security/can-t-log-into-the-asdm-anymore/td-p/3022633

0 Helpful

Go to solution
Jesserony
Level 1
Level 1
In response to Marvin Rhoads

‎07-06-2023 07:27 AM

Thank you Marvin and Divya! I will try these in the near future and update with the results here.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card