Paolo Caparrelli Cisco ASA 22 June 2022

#wpdcom .wmu-attachment-delete{--wpr-bg-c21afa2d-c949-4dca-9844-6efd11e9e3eb: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/img/file-icons/delete.png');}#cboxOverlay{--wpr-bg-f48d9dc4-1cad-4710-9b12-bddb603febd1: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/overlay.png');}#cboxTopLeft{--wpr-bg-75d29d57-b768-42d9-b7e4-7e1a8903c04a: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/controls.png');}#cboxTopRight{--wpr-bg-d0d22070-2d1d-48fd-a495-46502b6305d9: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/controls.png');}#cboxBottomLeft{--wpr-bg-01678669-4ccf-4d36-8043-3d2184ff63ae: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/controls.png');}#cboxBottomRight{--wpr-bg-4a14ad25-1125-4469-94b7-85739e9e4d1d: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/controls.png');}#cboxMiddleLeft{--wpr-bg-c9b2a8d4-e110-46a1-836a-c398627c12f3: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/controls.png');}#cboxMiddleRight{--wpr-bg-f6da2ff8-2039-4a45-bf66-085ff6857f8f: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/controls.png');}#cboxTopCenter{--wpr-bg-bcdd3057-b981-4f5b-8f9a-1d6c1da638f2: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/border.png');}#cboxBottomCenter{--wpr-bg-b9ab084a-d15b-4404-a911-c315868b3002: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/border.png');}#cboxLoadingOverlay{--wpr-bg-3f71a038-8093-4a89-958a-f7644b834aa3: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/loading_background.png');}#cboxLoadingGraphic{--wpr-bg-48136f86-004c-479e-b57b-b4787dbd2ca8: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/loading.gif');}#cboxPrevious{--wpr-bg-a2a18a77-6a4e-4d38-a6b4-c75176d82236: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/controls.png');}#cboxNext{--wpr-bg-65a6ccb6-6d9b-4520-8552-5ef1d2a3fd72: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/third-party/colorbox/images/controls.png');}#wpdiscuz-loading-bar{--wpr-bg-86c0a0ea-15db-4111-a866-d563abc3da65: url('https://www.goline.ch/wp-content/plugins/wpdiscuz/assets/img/loading.gif');}#hero{--wpr-bg-0851be9c-feb7-4a9b-8e6e-2630a69eae66: url('https://www.goline.ch/wp-content/themes/goline_sa/img/bg_3.jpg');}

Cisco ASA: web interface not working

I had to troubleshoot a Cisco ASA today, where the client wasn’t able to connect to the management web interface anymore via https. The customer didn’t install ASDM locally, but always starts the Java-based version.

After upgrading the Cisco ASA to software version 8.2(1) and a reboot, the client wasn’t able to connect to the web interface anymore. I was able to connect to the firewall with my locally installed ASDM client, but I couldn’t access the web interface either.

While troubleshooting I first tried the basic settings, like management access-list, regenerate crypto keys and change the management port. All these options didn’t help, but the strange thing was that the web interface was working remotely.

While working with Mozilla I received the following error:

cannot communicate securely with peer: no common encryption algorithm(s).

In Google Chrome I receive the following error:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

And of course Internet Explorer didn’t gave any usable information. I started looking at the supported encryption algorithms within the firewall with a show version. I noticed that VPN-3DES-AES was disabled. The next step was the enable the VPN-3DES-AES ciphers. The upgrade license for this feature is available for free at http://www.cisco.com/go/license.

I activated the VPN-3DES-AES feature, but still wasn’t able to connect to the firewall with the web interface. I checked the SSL encryption used by the firewall.

fw01# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

The firewall still didn’t enable the ciphers supported in my browser. If the VPN-3DES-AES license isn’t installed, only the cipher des-sha1 is enabled by default. I added the correct ciphers with the following command:

fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

After adding the command I was able to connect to the ASA with both the web interface and the ASDM.

Home

About Us

Services

Solutions

Systems Architecture

Support

FAQ

News

Cisco ASA: web interface not working

Cisco ASA: web interface not working