Management

Cisco ASA: web interface not working

René Jorissen on December 14, 2010 24 Comments • Tags: #113 #algorithms #common #encryption #error #net::err_ssl_version_or_cipher_mismatch #no #ssl

I had to troubleshoot a Cisco ASA today, where the client wasn’t able to connect to the management web interface anymore via https. The customer didn’t install ASDM locally, but always starts the Java-based version.

After upgrading the Cisco ASA to software version 8.2(1) and a reboot, the client wasn’t able to connect to the web interface anymore. I was able to connect to the firewall with my locally installed ASDM client, but I couldn’t access the web interface either.

While troubleshooting I first tried the basic settings, like management access-list, regenerate crypto keys and change the management port. All these options didn’t help, but the strange thing was that the web interface was working remotely.

While working with Mozilla I received the following error:

cannot communicate securely with peer: no common encryption algorithm(s).

In Google Chrome I receive the following error:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

And of course Internet Explorer didn’t gave any usable information. I started looking at the supported encryption algorithms within the firewall with a show version. I noticed that VPN-3DES-AES was disabled. The next step was the enable the VPN-3DES-AES ciphers. The upgrade license for this feature is available for free at http://www.cisco.com/go/license.

I activated the VPN-3DES-AES feature, but still wasn’t able to connect to the firewall with the web interface. I checked the SSL encryption used by the firewall.

fw01# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

The firewall still didn’t enable the ciphers supported in my browser. If the VPN-3DES-AES license isn’t installed, only the cipher des-sha1 is enabled by default. I added the correct ciphers with the following command:

fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

After adding the command I was able to connect to the ASA with both the web interface and the ASDM.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

  1. Stu says:

    Thanks heaps, this saved me a stack of time!

  2. Patrick says:

    Thanks! That saved me a lot of time after I upgraded last night.

  3. WAYLIFE says:

    Saved my ARSE with this bro!! Thank you!!

  4. Rob McKennon says:

    You da MAN! Worked like a charm!

  5. CCNA says:

    Thanks, It was very helpful.

  6. Anish says:

    You are a god!!!!

  7. jon says:

    worked, thank you!

  8. Danijel says:

    Thank you, it works! :)
    Best regards.
    Danijel

  9. Shamal says:

    Thanks mate… You saved my time :)

  10. Thanks for the tip, this worked great. As an FYI, running the command:

    “no ssl encryption”

    Will revert the command back to the SSL defaults which appears to be the following on ASA version 9.1.1 at least:

    Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
    Disabled ciphers: des-sha1 rc4-md5 null-sha1

  11. schaef350 says:

    I ran into this on a brand new firewall the other day. What a pain… Saved me tons of time.

    Thanks!

  12. EvilBlack says:

    Wow, I ran into this problem on a brand new out of the Box pair of 5525-X ASA’s. What a joke. Freakin come on Cisco you can do better than that. Wasted $200.00 of my customers money on my time troubleshooting something that should be default config.

  13. Jose Miguel Cabrera Dalence says:

    Muchas gracias

  14. Zac says:

    Thanks to you this only took 10 minutes from problem find to fix.

  15. Serge says:

    thanks a bunch for hint. I was puzzled on https conn reset.
    appreciated!

  16. Lenny says:

    Nice one! They’re really stupid fuckers shipping a new product in a useless state…

  17. Irfan says:

    Thanks man, its very helpful, really appreciate it.. :)

  18. Dave says:

    This is still very useful to this day. Thank you!

  19. Brandon says:

    worked like a charm… I had to do this on the 9+ ASA firmware

  20. suresh says:

    @Matthew Evans: After upgrading IOS in my ASA my ssl ouput is just like you said way and getting security certificate warning, please help me on this.Any inputs are welcome.

    Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
    Start connections using TLSv1 and negotiate to TLSv1
    Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
    Disabled ciphers: des-sha1 rc4-md5 null-sha1
    SSL trust-points:
    Outside VPNLB interface: ASDM_Launcher_Access_TrustPoint_1
    Outside interface: ASDM_Launcher_Access_TrustPoint_1
    Inside interface: ASDM_Launcher_Access_TrustPoint_2
    Inside VPNLB interface: ASDM_Launcher_Access_TrustPoint_2
    Certificate authentication is not enabled

  21. Milbert Vinluan says:

    Hi Mathew,

    I also got this error but in my SSL VPN, does your solution is also applicable to SSL VPN?

  22. Hoy estuve todo el día con el mismo problema y lo he solucionado de la siguiente manera
    1.- Solicite a Cisco la activation key para habilitar Encryption-3DES-AES
    2.- Configure los siguientes comandos
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    ssl cipher tlsv1.2 all

    No soy experto en Cisco ni mucho menos en seguridad, pero la constancia me hizo investigar y resolverlo.
    Espero les sirva!!!

  23. josue says:

    detectei try this command but i got this error ERROR: % Invalid input d at ‘^’ when i use ssl command my firewall is asa 5516-xmarker.

  24. Cheang says:

    Result of my show ssl
    FW-01(config)# sh ssl
    Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
    Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
    Enabled cipher order: des-sha1 3des-sha1 aes128-sha1 aes256-sha1
    Disabled ciphers: rc4-md5 rc4-sha1 null-sha1
    No SSL trust-points configured
    Certificate authentication is not enabled

    I still can’t access to ASA via web or ASDM
    In chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.