12-15-2015 11:43 AM - edited 02-21-2020 05:38 AM
Last night we went to upgrade our firewalls so that only TLS1.x and AES-256/SHA-1 can be used for VPN connections into the box. After doing so, ASDM stopped working, AnyConnect is still working without issue.
Java reported a SSL handshake error. I went to re-enable encryption mechanisms one by one and determined that AES-128/SHA1 is the highest encryption algorithm I can connect via ASDM on. I tried updating ASDM to the latest version and 7.5(2) won't connect on anything higher than AES-128 either. We are using a self signed certificate on the inside interface, so I enabled ASDM on the outside where we have a valid third party cert and tried connecting via https://<url>/admin to make sure it wasn't a certificate issue, and no dice.
It's a little odd to me that ASDM wouldn't support AES-256. I'm wondering if anyone has any ideas as to why I can't connect on AES-256 and/or a workaround. It would also be O.K. to use AES-128 for ASDM connections internally and AES-256 for VPN connections; but I don't see any way to enable the SSL encryption methods on a per-application use, it seems I can only configure them globally and am thus stuck with allowing VPN connections to use AES-128 if they so choose (I made sure connections will negotiate to AES-256 before trying AES-128, but I'd like to completely disable AES-128).
Specs below, thanks in advance for your assistance.
Specs
ASA Version: 9.2(2)4
ASDM Version: 7.4(2), I also tried 7.5(2)
Solved! Go to Solution.
12-16-2015 03:15 PM
I was thinking about this and found an article confirming my suspicion.
ASDM is just a Java applet. As such, it uses the security afforded it by your local Java installation's libraries.
I found confirmation in this TAC note: http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/110282-asdm-tshoot.html#prblm13
I tested the instructions and (...wait for it...) - it works!
I went to Oracle's download page for my Java version 8 here: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
I then unzipped those files and put them in the proper subdirectory according to the readme. It was a bit tricky to figure exactly which of the several Java directories ASDM was using - I did that by right clicking the process on task manager and going to the file location.
(Note: when you upgrade Oracle, it may write a new directory - so you will have to re-do this step periodically.)
Given that, I put the two new files in, changed my SSL custom cipher to exclude AES-128 and then relaunched ASDM. I started Wireshark with a capture filter for my ASA address and watched the TLS 1.2 handshake negotiate AES-256 encryption.
Along the lines of "it didn't happen if there are no pictures", extra points for the screenshot of the actual packet decode (open in new tab to zoom):
12-15-2015 02:56 PM
I think it's an ASDM limitation. I see the same thing on my ASA running the latest ASA software 9.5(2) with ASDM 7.5(2).
Qualys SSL check is pretty happy with that though - I get a A- on a test against my ASA.
12-16-2015 09:50 AM
Thanks Marvin, that Qualys SSL check is gold. Do you have any idea when AES-256 might be in the road-map for ASDM?
12-16-2015 03:15 PM
I was thinking about this and found an article confirming my suspicion.
ASDM is just a Java applet. As such, it uses the security afforded it by your local Java installation's libraries.
I found confirmation in this TAC note: http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/110282-asdm-tshoot.html#prblm13
I tested the instructions and (...wait for it...) - it works!
I went to Oracle's download page for my Java version 8 here: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
I then unzipped those files and put them in the proper subdirectory according to the readme. It was a bit tricky to figure exactly which of the several Java directories ASDM was using - I did that by right clicking the process on task manager and going to the file location.
(Note: when you upgrade Oracle, it may write a new directory - so you will have to re-do this step periodically.)
Given that, I put the two new files in, changed my SSL custom cipher to exclude AES-128 and then relaunched ASDM. I started Wireshark with a capture filter for my ASA address and watched the TLS 1.2 handshake negotiate AES-256 encryption.
Along the lines of "it didn't happen if there are no pictures", extra points for the screenshot of the actual packet decode (open in new tab to zoom):
12-30-2015 08:13 PM
Thanks Marvin! This worked great.
05-26-2016 09:09 PM
Marvin, you are a life saver! While everyone else is adamant that installing the certificates into the Java settings was all that's needed, I could NOT get it to work, until now.
Thank you sir
07-26-2016 12:39 PM
Thank you!!!
12-20-2016 03:09 PM
The jre-6u45-windows 64bit java client works fine with many ASDM versions.
I had this trouble before and this was the solution.
http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html#jre-6u45-oth-JPR
05-19-2017 02:27 PM
Thanks so much. As of 2017 the JAVA encryption files are located here:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Also, here is the SSL command on the ASA to use strong ciphers. These AES256 ciphers are supported by AnyConnect 4.x, and you will score an A- with 100% strong ciphers from ssllabs.com with this setting:
ssl cipher tlsv1.2 custom "DHE-RSA-AES256-SHA256:AES256-SHA256"
06-27-2017 12:18 PM
While you can work in ASDM once launched using the above cipher suite, I have not been able to launch ASDM with them enabled. If I set to medium I can launch it, then switch back to the above and control the ASA through ASDM, but that can be a PITA.
ASDM does not work at all when ssl tlsv1.2 is set to high.
06-27-2017 01:21 PM
Yes it does. I'm connected to ASDM 7.8(1) now, using
ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "DHE-RSA-AES256-SHA256:AES256-SHA256"
which is even more restrictive than ssl cipher tlsv1.2 high.
Read Marvin's response. You need to update JAVA with the high encryption files dowloaded from oracle. You can't connect to ASDM unless you update JAVA. It's not an ASDM issue, it's a java issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: