SSL VPN failed SSL handshake

JESSICA Walsh · ‎04-08-2015

I'm getting a failed SSL handshake and cannot figure out why. My license for AES is enabled.

Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual

I've got ssl configured.

ssl encryption aes256-sha1 dhe-aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint7 PUBLIC

The devices choose a common cipher, but then the handshake just fails.

Device chooses cipher : AES256-SHA for the SSL session with client PUBLIC:x.x.x.x/51030
Apr 08 2015 08:19:18 DEVICE-EXT : %ASA-6-725006: Device failed SSL handshake with client PUBLIC:x.x.x.x/51030

I have UDP and TCP 443 open in the ASA firewall rules with hits.
Any suggestions?

rizwanr74 · ‎04-08-2015

Hi Jessica,

Please post your config for easier trouble shooting.

thanks

JESSICA Walsh · ‎04-08-2015

Well I posted it, but it was way too long so I took it down

rizwanr74 · ‎04-08-2015

Lets say your public IP is: 9.9.9.9

tunnel-group PLANO-VENDORS webvpn-attributes
group-url https://9.9.9.9/PLANO-VENDORS enable

You do this for other tunnel groups as well to enable.

But I am lost why you have disabled here.

tunnel-group PLANO-VENDORS ipsec-attributes
no ikev1 pre-shared-key

?

thanks

JESSICA Walsh · ‎04-08-2015

We aren't using IPsec. But will check under that tunnel group. Maybe ssl is disabled

David Johan Castro Fernandez · ‎04-08-2015

Hi Jessica,

Make sure --> SSL protocol is enabled on the group policy, also enabled all of the SSL ciphers also.

Just in case try using another port for the TLS (4433).

Let me know how it worked out!

David Castro,

Regards

JESSICA Walsh · ‎04-09-2015

No luck. I ran a wireshark dump and it goes through the exchange, my client sends a client key exchange message, then the VPN sends a RST.

David Johan Castro Fernandez · ‎04-09-2015

I see, could you explain me the topology you have. Also are you able to connect from the inside network with the AnyConnect with the computer affected?

webvpn

enable inside

Go ahead and do that test!

David Castro,

Regards,

JESSICA Walsh · ‎04-10-2015

Well surprise-I did that and it started to pull down the client! However, I did test from an entirely different computer. I tested the external webvpn from a second computer but it still doesn't work. Both of my external (testing from the Internet) computers that failed to connect will work with my other ASAs. I've also got these logs when trying to hit the ASA from the Internet.

%ASA-6-725001: Starting SSL handshake with client PUBLIC:174.49.128.9/56138 for TLS session.
: %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: wrong version number
%ASA-6-725001: Starting SSL handshake with client PUBLIC:174.49.128.9/56139 for TLS session.
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: wrong version number

TLS settings (which I have on other ASA and can connect to with the same two external test PCs I have been using)

# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption aes256-sha1 dhe-aes256-sha1 aes128-sha1 dhe-aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint7 PUBLIC
ssl certificate-authentication fca-timeout 2

David Johan Castro Fernandez · ‎04-10-2015

Jessica,

Let's make sure the computers are negotiating on TLSv1, you may open the Internet Options, then click on "Advanced Tab", scroll down and make sure the following is checked:

- Use SSL 2.0

- Use SSL 3.0

- Use SSL 1.0

- Use SSL 1.1

- Use SSL 1.2

Make sure there is not a device in front of the firewall tampering any packets.

Regards,

a.kurniawan · ‎10-01-2015

I have same problem like this, then I found this

https://www.prolixium.com/blog?id=978

Have you tried this solution ?

ssl encryption 3des-sha1 aes128-sha1

hope this help