Solved: ssh and asdm access

Benjamin Saito · ‎09-04-2012

I just put a new configuration on a firewall and updated the asa and asdm versions on it. I was previously able to get to the asdm but now I am unable to. I put the correct version of the asdm on the running config but it immediately gets rejected when I try to pull it up in internet explorer.

SSH will not work either. I tried using secureCRT and it gave me an error saying:

The client has disconnected from the server. Reason:

Protocol version mismatch. Required protocol version is 2.0. Received version was 1.5-Cisco-1.25.

I found out by doing a "show version" that vpn-3des-aes is disabled. Did research on that and saw i am supposed to upgrade the license on the firewall, but I already an asa 5505 security plus license on there. Do I still have to upgrade the license? Thanks in advance.

Julio Carvajal · ‎09-04-2012

Hello Benjamin,

Yes you do as this will be an encrypthion algorithm upgrade, nothing to do with the features added by the security plus license.

The good thing is this is a free license.

Here is the link to get it

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

Also after you do that do the following:

ssl encryption aes128-sha1 aes256-sha1 3des-sha1

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎09-04-2012

Hello Benjamin,

Yes you do as this will be an encrypthion algorithm upgrade, nothing to do with the features added by the security plus license.

The good thing is this is a free license.

Here is the link to get it

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

Also after you do that do the following:

ssl encryption aes128-sha1 aes256-sha1 3des-sha1

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Benjamin Saito · ‎09-05-2012

Thanks for the quick response Julio. I had previously tried that link you supplied but never got an e-mail. But i tried it again and got an e-mail almost instantly, guess I did something wrong the first time. Anyways...

I just got the new activation key in the e-mail and it said this is what i get:

Inside Hosts : 10

Failover : Disabled

Encryption-DES : Enabled

Encryption-3DES-AES : Enabled

Security Contexts : Default

GTP/GPRS : Disabled

AnyConnect Premium Peers : Default

Other VPN Peers : Default

Advanced Endpoint Assessment : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

Shared License : Disabled

UC Phone Proxy Sessions : Default

Total UC Proxy Sessions : Default

AnyConnect Essentials : Disabled

Botnet Traffic Filter : Disabled

Intercompany Media Engine : Disabled

Everything looks right except failover is disabled. Does that mean I don't have the option to use this firewall in a ha pair? Also, if I put in the new activation key would I be able to put the old activation key back in? Thank you

Julio Carvajal · ‎09-05-2012

hello Benjami,

Yes, looks like failover is disabled for you.

You should be able to place the old activation key ( Security plus)

Let me know how it goes

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Benjamin Saito · ‎09-05-2012

Will the vpn-3des-aes being disabled have any effect on me not being able to get to the asdm? I am getting rejected immediately when trying to access it.

Julio Carvajal · ‎09-05-2012

Hello,

Yes, it completely does,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Benjamin Saito · ‎09-05-2012

Thanks for your help Julio, I just put the new license on the firewall and now failover is disabled. It's not set up as an ha pair and probably never will be so i don't think this will be an issue.

Julio Carvajal · ‎09-05-2012

Hello Benjamin,

Glad I could help.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC