Unable to access ASA 5508-X per Quick Start Guide

Phillip Burum · ‎04-28-2016

New ASA 5508-X.

Following Quick Start Guide and cannot access device at HttpS://192.168.1.1/admin. In IE the error is to enable TLS 1.0, 1.1 or 2.0, and in Chrome I get "SSL Version or Cypher Mismatch".

I've seen a few different posts on this topic, but they are years old and apply to different software versions. The device is in a room without external access, so I have to remember the details to type here.

ASA 9.5(2)

Device Manager Ver 7.5(2)

sh ssl

Accept connections using SSLv3 or greater and negotiate to TLSv1 or geater

Start connections using TLSv1 and negotiate greater

SSL DH Group group2

SSL ECDH Group group 19

SSL Trust points:

Self signed RSA avail

Self Signed EC 256 available

Cert auth is not enabled

Not sure what else I'm missing (though I'm sure there's a lot)

Any help/suggestions would be appreciated. While I used to live Cisco, that was before we moved to Brocade, and then I left the field entirely 10 years ago so I'm a little behind the curve.. LOL

Philip D'Ath · ‎04-29-2016

I don't know the answer, but this is the crypto settings I am using for SSL:

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20

Kanwaljeet Singh · ‎04-29-2016

Hi Phillip,

From the error message it seems to be ssl version or cipher mismatch issue.

Please put in all the ciphers available and try again. SSL cipher level all is the command.

Hope this helps.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Phillip Burum · ‎05-03-2016

Fnu/Kanwal,

Thank you for the suggestion. I am afraid that I cannot execute "SSL cipher level all" for a couple reasons. First, "level" isn't valid syntax at that point. I believe it would be "SSL cipher default all" for example. The second problem is that I don't have all cipher levels available with the factory license. I only have "low" as an option for the ciphers.

I would have installed the license, except the license tool at Cisco.com appears to require ASDM to use in conjunction with my PAK, except I can't get into ASDM. It's a horrible catch-22.

Thanks!

--Phillip

Marvin Rhoads · ‎05-03-2016

Somebody probably ordered the "k8" version of the ASA vs the "k9". k8 does not have the license required for strong ciphers included.

You need to install the free 3DES-AES license to allow you to enable strong ciphers. Modern browsers will not negotiate a secure connection with your ASA unless string ciphers are available on the ASA end.

No ASDM is necessary to perform this prerequisite step. Just get the serial number of your ASA from the cli ("show inventory" or "show version" will both provide it) and use that in the Cisco licensing portal to get a 3DES-AES license issued.

In the portal you need to choose "Get Other Licenses" and then "IPS, Crypto, Other...".

https://tools.cisco.com/SWIFT/LicensingUI/Quickstart

Phillip Burum · ‎05-04-2016

Sir,

I greatly appreciate the walk-through on downloading a free 3DES-AES license. Now to figure out how to get into ASDM....

Thanks!

--Phillip

Phillip Burum · ‎05-04-2016

en

conf t

ssl cipher default all

wr mem

HA! Looks like progress to me!

Marvin Rhoads · ‎05-04-2016

Looks like you are getting it.

The license installation is simple and instructions should be in the email via which the activation key is conveyed.

conf t
activation-key <key provided>
end
wr mem