Connecting the world…

Cisco ASA: web interface not working

I had to troubleshoot a Cisco ASA today, where the client wasn’t able to connect to the management web interface anymore via https. The customer didn’t install ASDM locally, but always starts the Java-based version.

After upgrading the Cisco ASA to software version 8.2(1) and a reboot, the client wasn’t able to connect to the web interface anymore. I was able to connect to the firewall with my locally installed ASDM client, but I couldn’t access the web interface either.

While troubleshooting I first tried the basic settings, like management access-list, regenerate crypto keys and change the management port. All these options didn’t help, but the strange thing was that the web interface was working remotely.

While working with Mozilla I received the following error:

cannot communicate securely with peer: no common encryption algorithm(s).

In Google Chrome I receive the following error:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

And of course Internet Explorer didn’t gave any usable information. I started looking at the supported encryption algorithms within the firewall with a show version. I noticed that VPN-3DES-AES was disabled. The next step was the enable the VPN-3DES-AES ciphers. The upgrade license for this feature is available for free at http://www.cisco.com/go/license.

I activated the VPN-3DES-AES feature, but still wasn’t able to connect to the firewall with the web interface. I checked the SSL encryption used by the firewall.

fw01# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

The firewall still didn’t enable the ciphers supported in my browser. If the VPN-3DES-AES license isn’t installed, only the cipher des-sha1 is enabled by default. I added the correct ciphers with the following command:

fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

After adding the command I was able to connect to the ASA with both the web interface and the ASDM.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Mobility First Expert (AMFX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

21 Responses to Cisco ASA: web interface not working

  • Thanks heaps, this saved me a stack of time!

  • Thanks! That saved me a lot of time after I upgraded last night.

  • Saved my ARSE with this bro!! Thank you!!

  • You da MAN! Worked like a charm!

  • Thanks, It was very helpful.

  • You are a god!!!!

  • worked, thank you!

  • Thank you, it works! :)
    Best regards.
    Danijel

  • Thanks mate… You saved my time :)

  • Thanks for the tip, this worked great. As an FYI, running the command:

    “no ssl encryption”

    Will revert the command back to the SSL defaults which appears to be the following on ASA version 9.1.1 at least:

    Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
    Disabled ciphers: des-sha1 rc4-md5 null-sha1

  • I ran into this on a brand new firewall the other day. What a pain… Saved me tons of time.

    Thanks!

  • Wow, I ran into this problem on a brand new out of the Box pair of 5525-X ASA’s. What a joke. Freakin come on Cisco you can do better than that. Wasted $200.00 of my customers money on my time troubleshooting something that should be default config.

  • Muchas gracias

  • Thanks to you this only took 10 minutes from problem find to fix.

  • thanks a bunch for hint. I was puzzled on https conn reset.
    appreciated!

  • Nice one! They’re really stupid fuckers shipping a new product in a useless state…

  • Thanks man, its very helpful, really appreciate it.. :)

  • This is still very useful to this day. Thank you!

  • worked like a charm… I had to do this on the 9+ ASA firmware

  • @Matthew Evans: After upgrading IOS in my ASA my ssl ouput is just like you said way and getting security certificate warning, please help me on this.Any inputs are welcome.

    Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
    Start connections using TLSv1 and negotiate to TLSv1
    Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
    Disabled ciphers: des-sha1 rc4-md5 null-sha1
    SSL trust-points:
    Outside VPNLB interface: ASDM_Launcher_Access_TrustPoint_1
    Outside interface: ASDM_Launcher_Access_TrustPoint_1
    Inside interface: ASDM_Launcher_Access_TrustPoint_2
    Inside VPNLB interface: ASDM_Launcher_Access_TrustPoint_2
    Certificate authentication is not enabled

  • Hi Mathew,

    I also got this error but in my SSL VPN, does your solution is also applicable to SSL VPN?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.