06-18-2015 09:42 PM - last edited on 03-25-2019 05:56 PM by ciscomoderator
I am setting up an ASA 5506 and I am unable to reach the ASDM via chrome, firefox, or IE. I tried lowering the encryption level and I may have made the problem worse. I am unable to get the ASA to accept any cipher except DES-CBC-SHA and NULL-SHA. I get the following errors no matter the cipher level:
ciscoasa(config)# ssl cipher dtlsv1 custom AES128-SHA
ERROR: Invalid version/level combination: no compatible ciphers found
ERROR: Unable to update ciphers.
Are there any recommendations?
Modified show run:
ciscoasa(config)# show run
: Saved
:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.3(2)2
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif Inside
security-level 100
ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
<--- More --->...
interface Management1/1
management-only
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu Inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 Inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.253
ssl cipher default custom "NULL-SHA"
ssl cipher sslv3 custom "NULL-SHA"
dynamic-access-policy-record DfltAccessPolicy
username admin password encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxx
: end
06-19-2015 11:01 AM
Hi,
Take a pcap on client and see where it is failing. You can try putting in all the ciphers in the list and see if that works?
Regards,
Kanwal
Note: Please mark answers if they are helpful.
06-19-2015 11:04 AM
Most likely the unit does not have the free 3DES-AES licenses installed. Lack of that will prevent you from using the strong ciphers that most modern browsers require to establish secure connectivity.
Check it as follows:
ASA# sh ver | i 3DES Encryption-3DES-AES : Enabled perpetual
If you don't see it enabled, go to www.cisco.com/go/license and you can get the free license. It will come with installation instructions.
01-03-2017 03:54 AM
Fantastic!
After hours of searching and wondering why I couldn't connect to my ASA from neither ASDM or SSH, I found this post.
Thank you!
Edit: ASDM works fine now, but I still cannot connect via SSH2.. any ideas why not?
Thanks again.
01-03-2017 07:42 AM
[@dal@alesund.kommune.no]
Good to hear. Please rate the response if it helped you.
For the ssh2 issue, make sure your ASA has it set and that you haven't specified something like DH group 14. Your ssh configuraiton should include the following:
ssh version 2
ssh key-exchange group dh-group1-sha1
01-05-2017 09:51 AM
Thank you for your response.
Unfortunately this tip did not help.
Still not able to connect via ssh
Not sure when it stopped working either. But I know for sure it has worked in the past
Thanks.
01-05-2017 09:54 AM
Could it possibly be client side settings issue? Have you tried an alternative ssh client?
If you have, you might be able to get some information from turning on verbose logging on your client or doing a packet capture while trying to connect.
02-09-2017 12:12 PM
This issue is now resolved!
After upgrading to the latest version of ASA and ASDM, I get an error in the log when trying to log in:
%ASA-3-315004: Fail to establish SSH session because RSA host key retrieval failed.
After that it was easy to find a solution on the internet:
https://axelilly.wordpress.com/2010/05/19/cant-ssh-into-asa/
In short:
Type in this line via console cable or from the Tools menu in ASDM:
conf t crypto key generate rsa modulus 2048 wr mem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide