Unable to connect to ASA 5505 with AnyConnect after upgrading to 8.2

Answered Question
Nov 17th, 2010
User Badges:

I just purchased an AnyConnect Essentials VPN License for my ASA 5505.  I had to upgrade to ASA 8.2.


Now that I have upgraded and installed the license, the AnyConnect client will no longer connect.  It gives the following error:  "Unable to process response".


Any help you can provide would be much appreciated.  I am happy to provide any configuration information that would be helpful if you can provide the CLI commands you would like me to execute.

Correct Answer by Jennifer Halim about 6 years 9 months ago

Seems like it doesn't like DES too much, you can change the cipher to "not" include DES in your policy:


ssl encryption 3des-sha1 aes128-sha1 aes256-sha1


DES in general isn't very secure anyway, and the above cipher choices will provide you with better encryption policy.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Wed, 11/17/2010 - 16:32
User Badges:
  • Cisco Employee,

Have you enabled the anyconnect essential feature yet?


The commands are:

webvpn

    anyconnect-essentials


Hope that helps.

davidnesbitt Wed, 11/17/2010 - 16:40
User Badges:

I believe it is enabled:


lunch-officegw-01# show run webvpn
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 1 regex "Intel Mac OS X"
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 2 regex "Windows NT"
svc image disk0:/anyconnect-macosx-powerpc-2.3.2016-k9.pkg 3 regex "PPC Mac OS X"
svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 4 regex "Linux"
svc enable
tunnel-group-list enable

Jennifer Halim Wed, 11/17/2010 - 16:46
User Badges:
  • Cisco Employee,

Did you try to connect via browser or with the AnyConnect client itself?

Jennifer Halim Wed, 11/17/2010 - 19:16
User Badges:
  • Cisco Employee,

Can you please try to disable and reenable the webvpn and test it again:


webvpn

  no enable outside

  enable outside


If it's still not working, might need to have a look at the whole config.

davidnesbitt Thu, 11/18/2010 - 10:19
User Badges:

I gave that a try:


lunch-officegw-01(config)# webvpn
lunch-officegw-01(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
lunch-officegw-01(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.


But no luck so far.  I did notice a few other things have changed since I upgraded to 8.2 and added the anyconnect-essentials license.


When I try to load ASDM (https://10.88.1.254/admin/public/index.html), FireFox tells me this:


Secure Connection Failed


An error occurred during a connection to 10.88.1.254.


Cannot communicate securely with peer: no common encryption algorithm(s).


(Error code: ssl_error_no_cypher_overlap)


When I connect with Putty, it throws up a warning dialog that says:


The first cipher supported by the server is single-DES, which is below the configured warning threshold.


So it seems like something got messed up in the configuration along the way, but I don't know what it is.

Jennifer Halim Thu, 11/18/2010 - 16:26
User Badges:
  • Cisco Employee,

Ahh, yes, check your show version, and see if 3DES is enabled. If not, you might want to activate the 3DES license. Can be requested from the following:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

(Click on Cisco ASA 3DES/AES License)


You might want to check if DES encryption works with the following command:

ssl encryption des-sha1


Once you enabled the 3DES license, you can change the command to the following:

ssl encryption 3des-sha1 des-sha1 aes128-sha1 aes256-sha1

davidnesbitt Thu, 11/18/2010 - 16:39
User Badges:

I am able to launch ASDM now, but I still get the warning message from Putty.

davidnesbitt Fri, 11/19/2010 - 10:36
User Badges:

Jennifer, thank you so much for your help.  ASDM and AnyConnect clients are now working!  :-)


The only lingering configuration issue from the upgrade is the Putty warning about single DES that I mentioned.  Do you know what is causing that?

Correct Answer
Jennifer Halim Fri, 11/19/2010 - 15:17
User Badges:
  • Cisco Employee,

Seems like it doesn't like DES too much, you can change the cipher to "not" include DES in your policy:


ssl encryption 3des-sha1 aes128-sha1 aes256-sha1


DES in general isn't very secure anyway, and the above cipher choices will provide you with better encryption policy.


Hope that helps.

Actions

This Discussion