Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1258
Views
0
Helpful
1
Replies

Unable to Launch ASDM 7.5(1) with FIPS Enabled

KatoNakatomi
Level 1
Level 1

‎03-02-2016 02:53 AM - edited ‎03-10-2019 12:36 AM

I am unable to launch the ASDM on ASA 9.4(2)11 with ASDM 7.5(1) with FIPS enabled, if FIPS is disabled then the ASDM launches successfully.

The ASA has a self-signed certificate [Public Key Type: RSA (2048 bits), Signature Algorithm: SHA1 with RSA Encryption] & Associated Trustpoints: ASDM_Trustpoint.

ssl server-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 fips
ssl cipher dtlsv1 fips
ssl dh-group group14

ssl trust-point ASDM_Trustpoint INSIDE

The following error in the IE11 browser with Java 8.5:

"This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://10.24.0.20 again. If this error persists, contact your site administrator."

A the main difference between FIPS disabled and enabled

[FIPS DISABLED]

Device chooses cipher DHE-RSA-AES256-GCM-SHA384 for the SSL session with client INSIDE:192.168.0.254/65337 to 192.168.0.1/443
Device selects trust-point ASDM_Trustpoint for client INSIDE:192.168.0.254/65337 to 192.168.0.1/443
Device completed SSL handshake with client INSIDE:192.168.0.254/65337 to 192.168.0.1/443 for TLSv1.2 session

[FIPS ENABLED]

Device chooses cipher DHE-RSA-AES256-GCM-SHA384 for the SSL session with client INSIDE:192.168.0.254/65005 to 192.168.0.1/443
Device selects trust-point ASDM_Trustpoint for client INSIDE:192.168.0.254/65005 to 192.168.0.1/443
SSL lib error. Function: SSL3_OUTPUT_CERT_CHAIN Reason:
SSL lib error. Function: SSL3_SEND_SERVER_CERTIFICATE Reason: internal error
Device failed SSL handshake with client INSIDE:192.168.0.254/65005 to 192.168.0.1/443
Starting SSL handshake with client INSIDE:192.168.0.254/65006 to 192.168.0.1/443 for TLS session
SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason: unknown protocol
Device failed SSL handshake with client INSIDE:192.168.0.254/65006 to 192.168.0.1/443
TCP request discarded from 10.10.83.18/65006 to REST:192.168.0.1/443
Starting SSL handshake with client INSIDE:192.168.0.254/65007 to 192.168.0.1/443 for TLS session
SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason: unknown protocol
Device failed SSL handshake with client INSIDE:192.168.0.254/65007 to 192.168.0.1/443

1 person had this problem
Labels:
Preview file
6 KB
0 Helpful
1 Reply 1

KatoNakatomi
Level 1
Level 1

‎03-02-2016 08:15 AM

Issue related to Trustpoint certificate generated on the ASA only being SHA1

Interface INSIDE: ASDM_Trustpoint (RSA 2048 bits RSA-SHA1)


It would appear we are unable to generate a self-signed SHA256 certificate on the ASA itself in 9.4(2)-11. Importing an off the box cert works OK.

0 Helpful
Customers Also Viewed These Support Documents