04-08-2015 06:38 AM
I'm getting a failed SSL handshake and cannot figure out why. My license for AES is enabled.
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
I've got ssl configured.
ssl encryption aes256-sha1 dhe-aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint7 PUBLIC
The devices choose a common cipher, but then the handshake just fails.
Device chooses cipher : AES256-SHA for the SSL session with client PUBLIC:x.x.x.x/51030
Apr 08 2015 08:19:18 DEVICE-EXT : %ASA-6-725006: Device failed SSL handshake with client PUBLIC:x.x.x.x/51030
I have UDP and TCP 443 open in the ASA firewall rules with hits.
Any suggestions?
04-08-2015 09:05 AM
Hi Jessica,
Please post your config for easier trouble shooting.
thanks
04-08-2015 10:41 AM
Well I posted it, but it was way too long so I took it down
04-08-2015 10:41 AM
Lets say your public IP is: 9.9.9.9
tunnel-group PLANO-VENDORS webvpn-attributes
group-url https://9.9.9.9/PLANO-VENDORS enable
You do this for other tunnel groups as well to enable.
But I am lost why you have disabled here.
tunnel-group PLANO-VENDORS ipsec-attributes
no ikev1 pre-shared-key
?
thanks
04-08-2015 10:44 AM
We aren't using IPsec. But will check under that tunnel group. Maybe ssl is disabled
04-08-2015 03:37 PM
Hi Jessica,
Make sure --> SSL protocol is enabled on the group policy, also enabled all of the SSL ciphers also.
Just in case try using another port for the TLS (4433).
Let me know how it worked out!
David Castro,
Regards
04-09-2015 02:07 PM
No luck. I ran a wireshark dump and it goes through the exchange, my client sends a client key exchange message, then the VPN sends a RST.
04-09-2015 07:39 PM
I see, could you explain me the topology you have. Also are you able to connect from the inside network with the AnyConnect with the computer affected?
webvpn
enable inside
Go ahead and do that test!
David Castro,
Regards,
04-10-2015 07:06 AM
Well surprise-I did that and it started to pull down the client! However, I did test from an entirely different computer. I tested the external webvpn from a second computer but it still doesn't work. Both of my external (testing from the Internet) computers that failed to connect will work with my other ASAs. I've also got these logs when trying to hit the ASA from the Internet.
%ASA-6-725001: Starting SSL handshake with client PUBLIC:174.49.128.9/56138 for TLS session.
: %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: wrong version number
%ASA-6-725001: Starting SSL handshake with client PUBLIC:174.49.128.9/56139 for TLS session.
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: wrong version number
TLS settings (which I have on other ASA and can connect to with the same two external test PCs I have been using)
# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption aes256-sha1 dhe-aes256-sha1 aes128-sha1 dhe-aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint7 PUBLIC
ssl certificate-authentication fca-timeout 2
04-10-2015 10:24 AM
Jessica,
Let's make sure the computers are negotiating on TLSv1, you may open the Internet Options, then click on "Advanced Tab", scroll down and make sure the following is checked:
- Use SSL 2.0
- Use SSL 3.0
- Use SSL 1.0
- Use SSL 1.1
- Use SSL 1.2
Make sure there is not a device in front of the firewall tampering any packets.
Regards,
10-01-2015 03:40 AM
I have same problem like this, then I found this
https://www.prolixium.com/blog?id=978
Have you tried this solution ?
ssl encryption 3des-sha1 aes128-sha1
hope this help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide