Showing results for 
Search instead for 
Did you mean: 

Clientless SSL not working: Cisco ASA 5515x 9.3(3)

Rashid Thompson

Has anyone experienced this issue. I upgraded the ASA software to 9.3(3) (Due to Poodle vulnerabilities) and now I am unable to access the ASA via https (ASDM and clientless SSL). Am I missing something?



ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:3DES-SHA"
ssl cipher sslv3 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:3DES-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:3DES-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:3DES-SHA"
ssl dh-group group2
ssl trust-point ASDM_TrustPoint16 outside
ssl certificate-authentication fca-timeout 2
ssl certificate-authentication interface outside port 330

tunnel-group SoftwareVPN type remote-access
tunnel-group SoftwareVPN general-attributes
 address-pool VPN-Client
 no ipv6-address-pool
 authentication-server-group ADA_AAA
 secondary-authentication-server-group none
 no accounting-server-group
 default-group-policy SoftwareVPN
 no dhcp-server
 no strip-realm
 no nat-assigned-to-public-ip
 no scep-enrollment enable
 no password-management
 no override-account-disable
 no strip-group
 no authorization-required
 username-from-certificate CN OU
 secondary-username-from-certificate CN OU
 authentication-attr-from-server primary
 authenticated-session-username primary
tunnel-group SoftwareVPN webvpn-attributes
 customization DfltCustomization
 authentication aaa
 no override-svc-download
 no radius-reject-message
 no proxy-auth sdi
 no pre-fill-username ssl-client
 no pre-fill-username clientless
 no secondary-pre-fill-username ssl-client
 no secondary-pre-fill-username clientless
 group-alias Anyconnect enable
 dns-group DefaultDNS
 no without-csd
tunnel-group SoftwareVPN ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate req
 no chain
 no ikev1 trust-point
 no ikev1 radius-sdi-xauth
 isakmp keepalive threshold 300 retry 2
 ikev1 user-authentication xauth
 no ikev2 remote-authentication
 no ikev2 local-authentication
tunnel-group SoftwareVPN ppp-attributes
 no authentication pap
 authentication chap
 authentication ms-chap-v1
 no authentication ms-chap-v2
 no authentication eap-proxy

2 Replies 2

Lary OConnor

I had the same issue and found removing this line seemed to fix it as I can now login to the ASDM.

ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:3DES-SHA"

This worked. Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers