10-23-2017 05:56 PM - edited 02-21-2020 06:33 AM
Hi guys,
I have read several of the articles on the same subject but none seem to apply to my situation. It doesn't seem to be either Java or missing configurations.
ISSUE:
I upgraded my ASA to 9.5(3)9 with ASDM 7.6(2) and put it in an HA pair. When I connect directly to the management port of the primary ASA, I can connect. Any other interface gets the "Unable to launch..." message. Before the upgrade I could have connected from the inside. Since no configurations were changed and since I can connect through the management interface, what would stop me from connecting through the inside?
The only difference in the configurations before and after is the ip address standby config because it is in an HA setup now: ip address x.x.x.1 x.x.x.0 standby x.x.x.2
CONFIGS:
sh run http
http server enable 444
http x.x.x.0 x.x.x.0 inside
http y.y.y.0 y.y.y.0 management
sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point ASDM_TrustPoint1 inside
ssl certificate-authentication fca-timeout 2
sh run aaa
aaa authorization http console LOCAL
sh asdm image
Device Manager image file, disk0:/asdm-762-150.bin
sh asp table socket
SSL 003f6188 LISTEN <inside IP address>:444 0.0 .0.0:*
SSL 0053d978 LISTEN <management IP address>:444 0.0 .0.0:*
My Java Version
Java Version 8 Update 151 (build 1.8.0_151-b12)
Note:
I get the same error when I try to connect to any interface on the secondary (including the management interface). But I suspect that maybe by design but I'm not sure!
Solved! Go to Solution.
10-24-2017 10:56 AM
I was able to solve the issue. The ASDM Launcher was having issues performing the SSL handshake:
OK button clicked
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Once I removed the Trust point from the inside interface it was able to negotiate the handshake with the ASA. Solution:
no ssl trust-point <trustpoint_name> inside
Note: what didn't work
Changing the ssl ciphers to lower versions.
Adding exceptions to Java
Adding the certificate to Java
10-24-2017 10:56 AM
I was able to solve the issue. The ASDM Launcher was having issues performing the SSL handshake:
OK button clicked
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Once I removed the Trust point from the inside interface it was able to negotiate the handshake with the ASA. Solution:
no ssl trust-point <trustpoint_name> inside
Note: what didn't work
Changing the ssl ciphers to lower versions.
Adding exceptions to Java
Adding the certificate to Java
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide