cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4774
Views
0
Helpful
7
Replies
Highlighted
Beginner

SSL mismatch with ASA 5506

I am setting up an ASA 5506 and I am unable to reach the ASDM via chrome, firefox, or IE. I tried lowering the encryption level and I may have made the problem worse. I am unable to get the ASA to accept any cipher except DES-CBC-SHA and NULL-SHA. I get the following errors no matter the cipher level:

ciscoasa(config)# ssl cipher dtlsv1 custom AES128-SHA
ERROR: Invalid version/level combination: no compatible ciphers found
ERROR: Unable to update ciphers.

Are there any recommendations?

 

Modified show run:

ciscoasa(config)# show run
: Saved

:
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.3(2)2
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
 nameif Inside
 security-level 100
 ip address 
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
<--- More --->...

 

interface Management1/1
 management-only
 no nameif
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu Inside 1500
mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck

ssh 192.168.0.0 255.255.0.0 Inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.253
ssl cipher default custom "NULL-SHA"
ssl cipher sslv3 custom "NULL-SHA"
dynamic-access-policy-record DfltAccessPolicy
username admin password  encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxx
: end

 

 

 

 

7 REPLIES 7
Highlighted
Cisco Employee

Hi,Take a pcap on client and

Hi,

Take a pcap on client and see where it is failing. You can try putting in all the ciphers in the list and see if that works? 

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Highlighted
Hall of Fame Guru

Most likely the unit does not

Most likely the unit does not have the free 3DES-AES licenses installed. Lack of that will prevent you from using the strong ciphers that most modern browsers require to establish secure connectivity.

Check it as follows:

ASA# sh ver | i 3DES
Encryption-3DES-AES               : Enabled        perpetual

If you don't see it enabled, go to www.cisco.com/go/license and you can get the free license. It will come with installation instructions. 

 

dal Participant
Participant

Fantastic!

Fantastic!

After hours of searching and wondering why I couldn't connect to my ASA from neither ASDM or SSH, I found this post.

Thank you!

Edit: ASDM works fine now, but I still cannot connect via SSH2.. any ideas why not?

Thanks again.

Highlighted
Hall of Fame Guru

@dal@alesund.kommune.no  

[@dal@alesund.kommune.no]  

Good to hear. Please rate the response if it helped you.

For the ssh2 issue, make sure your ASA has it set and that you haven't specified something like DH group 14. Your ssh configuraiton should include the following:

ssh version 2
ssh key-exchange group dh-group1-sha1
Highlighted
dal Participant
Participant

Thank you for your response.

Thank you for your response.

Unfortunately this tip did not help.

Still not able to connect via ssh

Not sure when it stopped working either. But I know for sure it has worked in the past

Thanks.

Highlighted
Hall of Fame Guru

Could it possibly be client

Could it possibly be client side settings issue? Have you tried an alternative ssh client?

If you have, you might be able to get some information from turning on verbose logging on your client or doing a packet capture while trying to connect.

Highlighted
dal Participant
Participant

This issue is now resolved!

This issue is now resolved!

After upgrading to the latest version of ASA and ASDM, I get an error in the log when trying to log in:

%ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.

After that it was easy to find a solution on the internet:

https://axelilly.wordpress.com/2010/05/19/cant-ssh-into-asa/

In short:

Type in this line via console cable or from the Tools menu in ASDM:

conf t
crypto key generate rsa modulus 2048
wr mem