PDM Won't Work

Unanswered Question
Jan 7th, 2009
User Badges:

I've tried everything out there, but I have no luck. I am using firefox and tried various configurations for setting up PDM, but each time I access it in Firefox, I get "Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) and IE just says it cannot display the page. I need help badly as I don't know what else to do. If possible, can I get a step by step instructions as well as trouble shooting tips? Thank you guys for your time and help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
topbluenet Wed, 01/07/2009 - 19:32
User Badges:

I will try this link again (as I have tried it before).

topbluenet Wed, 01/07/2009 - 21:26
User Badges:

This did not work for me. Thank you for the link, do you or does anybody else know what else to do? I can ping the router fine.

topbluenet Thu, 01/08/2009 - 23:28
User Badges:

I'm not sure how to get the config, but I issued a write term command and the following prints...


Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXX encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

[OK]

topbluenet Fri, 01/09/2009 - 12:22
User Badges:

In Firefox, I get "Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) and IE just says it cannot display the page.

topbluenet Fri, 01/09/2009 - 12:23
User Badges:

I can't even get a login. I've tried 2 computers, both with crossover cables and regular ones. I can ping the device and ssh into it.

rickyjohnt Sun, 01/11/2009 - 03:02
User Badges:

This can be due to a misconfiguration at either end. It can be due to a server being misconfigured to use a non-RSA certificate with the RSA key exchange algorithm.


Try this

ca generate rsa key 1024

ca save all

topbluenet Fri, 01/09/2009 - 17:22
User Badges:

Further research shows that this is not a PIX configuration problem (possibly) but instead a browser unable to start a secure channel. I installed OpenSSL for Windows and was able to get everything by text. This will not, however, help me with Java. The output of OpenSSL is:


C:\OpenSSL\bin>openssl s_client -connect 192.168.1.1:443

Loading 'screen' into random state - done

CONNECTED(00000094)

depth=0 /serialNumber=30124fbd/CN=XXXXXXXXXXXXXXXX/unstructuredName=XXXXXXXXXXXX

.net

verify error:num=18:self signed certificate

verify return:1

depth=0 /serialNumber=30124fbd/CN=XXXXXXXXXXXX.net/unstructuredName=XXXXX.net

verify return:1

---

Certificate chain

0 s:/serialNumber=30124fbd/CN=XXXXXXXX.net/unstructuredName=XXXXXXXXX.ne

t

i:/serialNumber=30124fbd/CN=XXXXXXX.net/unstructuredName=XXXXXXXXXXX

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIBnzCCAUkCIGJkNTg2ZGVhYWVmNzk5ZmRmZGY4ZmY5NTNmZjUwNjUwMA0GCSqG

SIb3DQEBBAUAMEsxSTAPBgNVBAUTCDMwMTI0ZmJkMBcGA1UEAxMQUElYMS50b3Bi

bHVlLH5ldDAdBgkqhkiG9w0BCQIWEFBJWDEudG9wYmx1ZS5uZXQwHhcNMDkwMTA5

MTg0NjIxWhcNMTkwMTA3MTg0NjIxWjBLMUkwDwYDVQQFEwgzMDEyNGZiZDAXBgNV

BAMTEFBJWDEudG2wYmx1ZS5uZXQwHQYJKoZIhvcNAQkCFhBQSVgxLnRvcGJsdWUu

bmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK8cQvm07NJmZvJcIrCHVLS5puII

urcTdVgCs9+rw1dzhH53+BhJBusz0iPBa6cOhlS/+1aMAqfEQWHVeXveKBcCAwEA

ATANBgkqhkiG9w0BAQQFAANBAFrpu2n/Yjlq/IBue6NUsup6ubbPGfENPImmpsNq

z+W0yQDlExISzzNAzf4DVTS3PnakV52tJL0LhwZZuxG/65o=

-----END CERTIFICATE-----

subject=/serialNumber=30124fbd/CN=XXXXXXXXX.net/unstructuredName=XXXXXXXXXXXX.net

issuer=/serialNumber=30124fbd/CN=XXXXXXXXXXXX.net/unstructuredName=XXXXXXXXXXXX.net

---

No client certificate CA names sent

---

SSL handshake has read 565 bytes and written 242 bytes

---

New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5

Server public key is 512 bit

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : EXP-RC4-MD5

Session-ID: 4189267C2v2E8823FA4CF5AB647387F58DB2CE5AC7946511257A96BD51946B7D


Session-ID-ctx:

Master-Key: 913A7408028406EDD756DA8984EA9289685EEC27B15DBD0D018B8586558B90B0

82F3CEF3F450803EB01629D3618A70AB

Key-Arg : None

Start Time: 1231550487

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

---


And I still get the same Firefox and IE errors. I enabled all of SSL versions 3.0 and TLS (my browser doesn't have 2.0). What is going on?

topbluenet Mon, 01/12/2009 - 13:08
User Badges:

I have found a resolution to this problem. This was because my browser rejected the SSL 2.0 protocol. I do not have a solution for IE but in Firefox I typed the URL 'about:config' and searched for 'ssl2' and turned all the options on (around 7). Then I went Tools -> Options -> Advanced -> Encryption and unchecked SSL 3.0 and TLS 1.0. As you may know, this leaves me insecure and other websites will sometimes just deny requests using SSL 2.0 (as I found out). If anybody knows of a way to upgrade the SSL on my Pix 501, can you please let me know? Thank you!

Actions

This Discussion