I've set up the SSL VPN on a Cisco ASA 5505 firewall running version 9.2(4)5. Login is working. If I try to access internal webserver by using HTTP it's working, too.
But if I try to access a secure webserver the connection fails. The webbrowser displays the fallowing message: "Server X.X.X.X unavailable".
The HTTPS server is available. I can access it from the internal network. Furthermore the ASA can perform a "TCP ping" on port 443.
I tried to find out what's the problem. Therefore I used tcpdump on the server to get some network packages.
I've detected an error in SSL handshake. First I can see the client hello message from the ASA. It propose the fallowing cipher suites:
The server confirms the cipher suite "TLS_DHE_RSA_WITH_AES_256_CBC_SHA". The server starts the key exchange. But then the ASA send a TCP reset.
This is what I've set up on the ASA: ssl server-version tlsv1-only ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
If I disable the cipher suites "TLS-DHE_RSA_WITH_AES_256_CBC_SHA" and "TLS-DHE_RSA_WITH_AES_128_CBC_SHA" on the server it's working. If I disable the encryption algorithm "dhe-aes256-sha1" and "dhe-aes128-sha1" on the ASA it's working, too. Client/ server will then use "TLS-RSA_WITH_AES_256_CBC_SHA".
But why is it not working if Diffie-Hellman is enabled? Could this be a bug?
