Cisco ASA: web interface not working
I had to troubleshoot a Cisco ASA today, where the client wasn’t able to connect to the management web interface anymore via https. The customer didn’t install ASDM locally, but always starts the Java-based version.
After upgrading the Cisco ASA to software version 8.2(1) and a reboot, the client wasn’t able to connect to the web interface anymore. I was able to connect to the firewall with my locally installed ASDM client, but I couldn’t access the web interface either.
While troubleshooting I first tried the basic settings, like management access-list, regenerate crypto keys and change the management port. All these options didn’t help, but the strange thing was that the web interface was working remotely.
While working with Mozilla I received the following error:
cannot communicate securely with peer: no common encryption algorithm(s).
In Google Chrome I receive the following error:
Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
And of course Internet Explorer didn’t gave any usable information. I started looking at the supported encryption algorithms within the firewall with a show version. I noticed that VPN-3DES-AES was disabled. The next step was the enable the VPN-3DES-AES ciphers. The upgrade license for this feature is available for free at http://www.cisco.com/go/license.
I activated the VPN-3DES-AES feature, but still wasn’t able to connect to the firewall with the web interface. I checked the SSL encryption used by the firewall.
fw01# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
The firewall still didn’t enable the ciphers supported in my browser. If the VPN-3DES-AES license isn’t installed, only the cipher des-sha1 is enabled by default. I added the correct ciphers with the following command:
fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1
After adding the command I was able to connect to the ASA with both the web interface and the ASDM.
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021
Thanks heaps, this saved me a stack of time!
Thanks! That saved me a lot of time after I upgraded last night.
Saved my ARSE with this bro!! Thank you!!
You da MAN! Worked like a charm!
Thanks, It was very helpful.
You are a god!!!!
worked, thank you!
Thank you, it works! :)
Best regards.
Danijel
Thanks mate… You saved my time :)
Thanks for the tip, this worked great. As an FYI, running the command:
“no ssl encryption”
Will revert the command back to the SSL defaults which appears to be the following on ASA version 9.1.1 at least:
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
I ran into this on a brand new firewall the other day. What a pain… Saved me tons of time.
Thanks!
Wow, I ran into this problem on a brand new out of the Box pair of 5525-X ASA’s. What a joke. Freakin come on Cisco you can do better than that. Wasted $200.00 of my customers money on my time troubleshooting something that should be default config.
Muchas gracias
Thanks to you this only took 10 minutes from problem find to fix.
thanks a bunch for hint. I was puzzled on https conn reset.
appreciated!
Nice one! They’re really stupid fuckers shipping a new product in a useless state…
Thanks man, its very helpful, really appreciate it.. :)
This is still very useful to this day. Thank you!
worked like a charm… I had to do this on the 9+ ASA firmware
@Matthew Evans: After upgrading IOS in my ASA my ssl ouput is just like you said way and getting security certificate warning, please help me on this.Any inputs are welcome.
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
Outside VPNLB interface: ASDM_Launcher_Access_TrustPoint_1
Outside interface: ASDM_Launcher_Access_TrustPoint_1
Inside interface: ASDM_Launcher_Access_TrustPoint_2
Inside VPNLB interface: ASDM_Launcher_Access_TrustPoint_2
Certificate authentication is not enabled
Hi Mathew,
I also got this error but in my SSL VPN, does your solution is also applicable to SSL VPN?
Hoy estuve todo el día con el mismo problema y lo he solucionado de la siguiente manera
1.- Solicite a Cisco la activation key para habilitar Encryption-3DES-AES
2.- Configure los siguientes comandos
ssh version 2
ssh key-exchange group dh-group1-sha1
ssl cipher tlsv1.2 all
No soy experto en Cisco ni mucho menos en seguridad, pero la constancia me hizo investigar y resolverlo.
Espero les sirva!!!
detectei try this command but i got this error ERROR: % Invalid input d at ‘^’ when i use ssl command my firewall is asa 5516-xmarker.
Result of my show ssl
FW-01(config)# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1 3des-sha1 aes128-sha1 aes256-sha1
Disabled ciphers: rc4-md5 rc4-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
I still can’t access to ASA via web or ASDM
In chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH