cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1251
Views
0
Helpful
1
Replies

Unable to Launch ASDM 7.5(1) with FIPS Enabled

KatoNakatomi
Level 1
Level 1

I am unable to launch the ASDM on ASA 9.4(2)11 with ASDM 7.5(1) with FIPS enabled, if FIPS is disabled then the ASDM launches successfully.

The ASA has a self-signed certificate [Public Key Type: RSA (2048 bits), Signature Algorithm: SHA1 with RSA Encryption] & Associated Trustpoints: ASDM_Trustpoint.

ssl server-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 fips
ssl cipher dtlsv1 fips
ssl dh-group group14

ssl trust-point ASDM_Trustpoint INSIDE

The following error in the IE11 browser with Java 8.5:

"This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://10.24.0.20 again. If this error persists, contact your site administrator."

A the main difference between FIPS disabled and enabled

[FIPS DISABLED]

Device chooses cipher DHE-RSA-AES256-GCM-SHA384 for the SSL session with client INSIDE:192.168.0.254/65337 to 192.168.0.1/443
Device selects trust-point ASDM_Trustpoint for client INSIDE:192.168.0.254/65337 to 192.168.0.1/443
Device completed SSL handshake with client INSIDE:192.168.0.254/65337 to 192.168.0.1/443 for TLSv1.2 session

[FIPS ENABLED]

Device chooses cipher DHE-RSA-AES256-GCM-SHA384 for the SSL session with client INSIDE:192.168.0.254/65005 to 192.168.0.1/443
Device selects trust-point ASDM_Trustpoint for client INSIDE:192.168.0.254/65005 to 192.168.0.1/443
SSL lib error. Function: SSL3_OUTPUT_CERT_CHAIN Reason:
SSL lib error. Function: SSL3_SEND_SERVER_CERTIFICATE Reason: internal error
Device failed SSL handshake with client INSIDE:192.168.0.254/65005 to 192.168.0.1/443
Starting SSL handshake with client INSIDE:192.168.0.254/65006 to 192.168.0.1/443 for TLS session
SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason: unknown protocol
Device failed SSL handshake with client INSIDE:192.168.0.254/65006 to 192.168.0.1/443
TCP request discarded from 10.10.83.18/65006 to REST:192.168.0.1/443
Starting SSL handshake with client INSIDE:192.168.0.254/65007 to 192.168.0.1/443 for TLS session
SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason: unknown protocol
Device failed SSL handshake with client INSIDE:192.168.0.254/65007 to 192.168.0.1/443

1 Reply 1

KatoNakatomi
Level 1
Level 1

Issue related to Trustpoint certificate generated on the ASA only being SHA1

Interface INSIDE: ASDM_Trustpoint (RSA 2048 bits RSA-SHA1)


It would appear we are unable to generate a self-signed SHA256 certificate on the ASA itself in 9.4(2)-11. Importing an off the box cert works OK.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: