01-07-2009 12:02 AM - edited 03-11-2019 07:33 AM
I've tried everything out there, but I have no luck. I am using firefox and tried various configurations for setting up PDM, but each time I access it in Firefox, I get "Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) and IE just says it cannot display the page. I need help badly as I don't know what else to do. If possible, can I get a step by step instructions as well as trouble shooting tips? Thank you guys for your time and help!
01-07-2009 01:43 AM
Try the below link:-
http://www.cisco.com/en/US/docs/security/pix/pix63/pdm30/installation/guide/pdm30CH5.html
HTH>
01-07-2009 07:32 PM
I will try this link again (as I have tried it before).
01-07-2009 09:26 PM
This did not work for me. Thank you for the link, do you or does anybody else know what else to do? I can ping the router fine.
01-08-2009 01:14 AM
Router?? the PDM is for the Cisco PIX??
Post the config, for review.
HTH>
01-08-2009 11:28 PM
I'm not sure how to get the config, but I issued a write term command and the following prints...
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxx
: end
[OK]
01-09-2009 02:19 AM
config looks OK - what is the error you are getting?
01-09-2009 12:22 PM
In Firefox, I get "Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) and IE just says it cannot display the page.
01-09-2009 12:23 PM
I can't even get a login. I've tried 2 computers, both with crossover cables and regular ones. I can ping the device and ssh into it.
01-11-2009 03:02 AM
This can be due to a misconfiguration at either end. It can be due to a server being misconfigured to use a non-RSA certificate with the RSA key exchange algorithm.
Try this
ca generate rsa key 1024
ca save all
01-09-2009 05:22 PM
Further research shows that this is not a PIX configuration problem (possibly) but instead a browser unable to start a secure channel. I installed OpenSSL for Windows and was able to get everything by text. This will not, however, help me with Java. The output of OpenSSL is:
C:\OpenSSL\bin>openssl s_client -connect 192.168.1.1:443
Loading 'screen' into random state - done
CONNECTED(00000094)
depth=0 /serialNumber=30124fbd/CN=XXXXXXXXXXXXXXXX/unstructuredName=XXXXXXXXXXXX
.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /serialNumber=30124fbd/CN=XXXXXXXXXXXX.net/unstructuredName=XXXXX.net
verify return:1
---
Certificate chain
0 s:/serialNumber=30124fbd/CN=XXXXXXXX.net/unstructuredName=XXXXXXXXX.ne
t
i:/serialNumber=30124fbd/CN=XXXXXXX.net/unstructuredName=XXXXXXXXXXX
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBnzCCAUkCIGJkNTg2ZGVhYWVmNzk5ZmRmZGY4ZmY5NTNmZjUwNjUwMA0GCSqG
SIb3DQEBBAUAMEsxSTAPBgNVBAUTCDMwMTI0ZmJkMBcGA1UEAxMQUElYMS50b3Bi
bHVlLH5ldDAdBgkqhkiG9w0BCQIWEFBJWDEudG9wYmx1ZS5uZXQwHhcNMDkwMTA5
MTg0NjIxWhcNMTkwMTA3MTg0NjIxWjBLMUkwDwYDVQQFEwgzMDEyNGZiZDAXBgNV
BAMTEFBJWDEudG2wYmx1ZS5uZXQwHQYJKoZIhvcNAQkCFhBQSVgxLnRvcGJsdWUu
bmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK8cQvm07NJmZvJcIrCHVLS5puII
urcTdVgCs9+rw1dzhH53+BhJBusz0iPBa6cOhlS/+1aMAqfEQWHVeXveKBcCAwEA
ATANBgkqhkiG9w0BAQQFAANBAFrpu2n/Yjlq/IBue6NUsup6ubbPGfENPImmpsNq
z+W0yQDlExISzzNAzf4DVTS3PnakV52tJL0LhwZZuxG/65o=
-----END CERTIFICATE-----
subject=/serialNumber=30124fbd/CN=XXXXXXXXX.net/unstructuredName=XXXXXXXXXXXX.net
issuer=/serialNumber=30124fbd/CN=XXXXXXXXXXXX.net/unstructuredName=XXXXXXXXXXXX.net
---
No client certificate CA names sent
---
SSL handshake has read 565 bytes and written 242 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EXP-RC4-MD5
Session-ID: 4189267C2v2E8823FA4CF5AB647387F58DB2CE5AC7946511257A96BD51946B7D
Session-ID-ctx:
Master-Key: 913A7408028406EDD756DA8984EA9289685EEC27B15DBD0D018B8586558B90B0
82F3CEF3F450803EB01629D3618A70AB
Key-Arg : None
Start Time: 1231550487
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
And I still get the same Firefox and IE errors. I enabled all of SSL versions 3.0 and TLS (my browser doesn't have 2.0). What is going on?
01-11-2009 10:41 PM
I just ran into a similiar problem with a 515e running 6.3(5) and PDM 3.0(4). The problem was my Vista/IE7 box. My old XP SP2/IE7 worked just fine. Its not the PIX, its your client machine/browser.
01-12-2009 01:08 PM
I have found a resolution to this problem. This was because my browser rejected the SSL 2.0 protocol. I do not have a solution for IE but in Firefox I typed the URL 'about:config' and searched for 'ssl2' and turned all the options on (around 7). Then I went Tools -> Options -> Advanced -> Encryption and unchecked SSL 3.0 and TLS 1.0. As you may know, this leaves me insecure and other websites will sometimes just deny requests using SSL 2.0 (as I found out). If anybody knows of a way to upgrade the SSL on my Pix 501, can you please let me know? Thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: