Cisco ASA: web interface not working

I had to troubleshoot a Cisco ASA today, where the client wasn’t able to connect to the management web interface anymore via https. The customer didn’t install ASDM locally, but always starts the Java-based version.

After upgrading the Cisco ASA to software version 8.2(1) and a reboot, the client wasn’t able to connect to the web interface anymore. I was able to connect to the firewall with my locally installed ASDM client, but I couldn’t access the web interface either.

While troubleshooting I first tried the basic settings, like management access-list, regenerate crypto keys and change the management port. All these options didn’t help, but the strange thing was that the web interface was working remotely.

While working with Mozilla I received the following error:

cannot communicate securely with peer: no common encryption algorithm(s).

In Google Chrome I receive the following error:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

And of course Internet Explorer didn’t gave any usable information. I started looking at the supported encryption algorithms within the firewall with a show version. I noticed that VPN-3DES-AES was disabled. The next step was the enable the VPN-3DES-AES ciphers. The upgrade license for this feature is available for free at http://www.cisco.com/go/license.

I activated the VPN-3DES-AES feature, but still wasn’t able to connect to the firewall with the web interface. I checked the SSL encryption used by the firewall.

fw01# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

The firewall still didn’t enable the ciphers supported in my browser. If the VPN-3DES-AES license isn’t installed, only the cipher des-sha1 is enabled by default. I added the correct ciphers with the following command:

fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

After adding the command I was able to connect to the ASA with both the web interface and the ASDM.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

23 thoughts on “Cisco ASA: web interface not working

  1. Thanks for the tip, this worked great. As an FYI, running the command:

    “no ssl encryption”

    Will revert the command back to the SSL defaults which appears to be the following on ASA version 9.1.1 at least:

    Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
    Disabled ciphers: des-sha1 rc4-md5 null-sha1

  2. Wow, I ran into this problem on a brand new out of the Box pair of 5525-X ASA’s. What a joke. Freakin come on Cisco you can do better than that. Wasted $200.00 of my customers money on my time troubleshooting something that should be default config.

  3. @Matthew Evans: After upgrading IOS in my ASA my ssl ouput is just like you said way and getting security certificate warning, please help me on this.Any inputs are welcome.

    Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
    Start connections using TLSv1 and negotiate to TLSv1
    Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
    Disabled ciphers: des-sha1 rc4-md5 null-sha1
    SSL trust-points:
    Outside VPNLB interface: ASDM_Launcher_Access_TrustPoint_1
    Outside interface: ASDM_Launcher_Access_TrustPoint_1
    Inside interface: ASDM_Launcher_Access_TrustPoint_2
    Inside VPNLB interface: ASDM_Launcher_Access_TrustPoint_2
    Certificate authentication is not enabled

  4. Hi Mathew,

    I also got this error but in my SSL VPN, does your solution is also applicable to SSL VPN?

  5. Hoy estuve todo el día con el mismo problema y lo he solucionado de la siguiente manera
    1.- Solicite a Cisco la activation key para habilitar Encryption-3DES-AES
    2.- Configure los siguientes comandos
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    ssl cipher tlsv1.2 all

    No soy experto en Cisco ni mucho menos en seguridad, pero la constancia me hizo investigar y resolverlo.
    Espero les sirva!!!

  6. detectei try this command but i got this error ERROR: % Invalid input d at ‘^’ when i use ssl command my firewall is asa 5516-xmarker.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.