Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Rob
Community Member

Can't connect to ASA via HTTPS or ASDM

Hello,

I'm unable to connect to my Cisco ASA 5510 firewal via HTTPS or the ASDM GUI (I can SSH into it with no problem).  When I point my browser at the ASA, I get a "There is a problem with the website's security certificate." error.  When I click on the "Continue to this website (not recommended)." option, the browser's status updates with "connecting" but never progresses to the webpage.  When I point my ASDM GUI at the ASA (with the proper username and password), it updates its status with "connecting" but never progresses either.

Looking at the HTTPS debug output, I'm not seeing any errors.  Looking at the ASDM Java console, I don't see any errors either.

Here's what the ASA reports when I attempt to connect to it using my browser (with "debug http", "debug aaa", and "logg con debug" configured):
 
Mar 21 2014 10:30:33: %ASA-7-609001: Built local-host Outside:192.168.100.132
Mar 21 2014 10:30:33: %ASA-6-302013: Built inbound TCP connection 1959 for Outside:192.168.100.132/50226 (192.168.100.132/50226) to identity:172.18.13.2/443 (172.18.13.2/443)
Mar 21 2014 10:30:33: %ASA-6-725001: Starting SSL handshake with client Outside:192.168.100.132/50226 for TLSv1 session.
Mar 21 2014 10:30:33: %ASA-7-725010: Device supports the following 3 cipher(s).
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[1] : DES-CBC3-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[2] : AES128-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[3] : AES256-SHA
Mar 21 2014 10:30:33: %ASA-7-725008: SSL client Outside:192.168.100.132/50226 proposes the following 8 cipher(s).
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[1] : AES128-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[2] : AES256-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[3] : RC4-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[4] : DES-CBC3-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
Mar 21 2014 10:30:33: %ASA-7-725011: Cipher[8] : RC4-MD5
Mar 21 2014 10:30:33: %ASA-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client Outside:192.168.100.132/50226
Mar 21 2014 10:30:33: %ASA-6-725002: Device completed SSL handshake with client Outside:192.168.100.132/50226
Mar 21 2014 10:30:33: %ASA-6-725007: SSL session with client Outside:192.168.100.132/50226 terminated.
Mar 21 2014 10:30:33: %ASA-6-302014: Teardown TCP connection 1959 for Outside:192.168.100.132/50226 to identity:172.18.13.2/443 duration 0:00:00 bytes 629 TCP Reset-I
Mar 21 2014 10:30:33: %ASA-7-609002: Teardown local-host Outside:192.168.100.132 duration 0:00:00
Mar 21 2014 10:30:36: %ASA-7-609001: Built local-host Outside:192.168.100.132
Mar 21 2014 10:30:36: %ASA-6-302013: Built inbound TCP connection 1960 for Outside:192.168.100.132/50227 (192.168.100.132/50227) to identity:172.18.13.2/443 (172.18.13.2/443)
Mar 21 2014 10:30:36: %ASA-6-725001: Starting SSL handshake with client Outside:192.168.100.132/50227 for TLSv1 session.
Mar 21 2014 10:30:36: %ASA-6-725003: SSL client Outside:192.168.100.132/50227 request to resume previous session.
Mar 21 2014 10:30:36: %ASA-6-725002: Device completed SSL handshake with client Outside:192.168.100.132/50227
Mar 21 2014 10:30:36: %ASA-6-725007: SSL session with client Outside:192.168.100.132/50227 terminated.
Mar 21 2014 10:30:36: %ASA-6-302013: Built inbound TCP connection 1961 for Outside:192.168.100.132/50228 (192.168.100.132/50228) to identity:172.18.13.2/443 (172.18.13.2/443)
Mar 21 2014 10:30:36: %ASA-6-302014: Teardown TCP connection 1960 for Outside:192.168.100.132/50227 to identity:172.18.13.2/443 duration 0:00:00 bytes 130 TCP Reset-I
Mar 21 2014 10:30:36: %ASA-6-725001: Starting SSL handshake with client Outside:192.168.100.132/50228 for TLSv1 session.
Mar 21 2014 10:30:36: %ASA-6-725003: SSL client Outside:192.168.100.132/50228 request to resume previous session.
Mar 21 2014 10:30:37: %ASA-6-725002: Device completed SSL handshake with client Outside:192.168.100.132/50228
HTTP: processing handoff to legacy admin server [/]
HTTP: session verified =  [0]
HTTP: processing GET URL '/' from host 192.168.100.132
HTTP: redirecting to: /admin/public/index.html
Mar 21 2014 10:30:37: %ASA-6-725007: SSL session with client Outside:192.168.100.132/50228 terminated.
Mar 21 2014 10:30:37: %ASA-6-302014: Teardown TCP connection 1961 for Outside:192.168.100.132/50228 to identity:172.18.13.2/443 duration 0:00:00 bytes 345 TCP FINs
Mar 21 2014 10:30:37: %ASA-7-609002: Teardown local-host Outside:192.168.100.132 duration 0:00:00
Mar 21 2014 10:30:37: %ASA-7-609001: Built local-host Outside:192.168.100.132
Mar 21 2014 10:30:37: %ASA-6-302013: Built inbound TCP connection 1962 for Outside:192.168.100.132/50229 (192.168.100.132/50229) to identity:172.18.13.2/443 (172.18.13.2/443)
Mar 21 2014 10:30:37: %ASA-6-725001: Starting SSL handshake with client Outside:192.168.100.132/50229 for TLSv1 session.
Mar 21 2014 10:30:37: %ASA-6-725003: SSL client Outside:192.168.100.132/50229 request to resume previous session.
Mar 21 2014 10:30:37: %ASA-6-725002: Device completed SSL handshake with client Outside:192.168.100.132/50229
HTTP: session verified =  [0]
HTTP: processing GET URL '/admin/public/index.html' from host 192.168.100.132
HTTP: authentication not required
HTTP: sending file: public/index.html, length: 7236

Here's what the ASA reports when I attempt to connect to it using the ASDM GUI (with "debug http", "debug aaa", and "logg con debug" configured):

Mar 21 2014 10:35:27: %ASA-7-609001: Built local-host Outside:192.168.100.132
Mar 21 2014 10:35:27: %ASA-6-302013: Built inbound TCP connection 1967 for Outside:192.168.100.132/50231 (192.168.100.132/50231) to identity:172.18.13.2/443 (172.18.13.2/443)
Mar 21 2014 10:35:27: %ASA-6-725001: Starting SSL handshake with client Outside:192.168.100.132/50231 for TLSv1 session.
Mar 21 2014 10:35:27: %ASA-7-725010: Device supports the following 3 cipher(s).
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[1] : DES-CBC3-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[2] : AES128-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[3] : AES256-SHA
Mar 21 2014 10:35:27: %ASA-7-725008: SSL client Outside:192.168.100.132/50231 proposes the following 8 cipher(s).
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[1] : AES128-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[4] : RC4-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[5] : DES-CBC3-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[6] : EDH-RSA-DES-CBC3-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
Mar 21 2014 10:35:27: %ASA-7-725011: Cipher[8] : RC4-MD5
Mar 21 2014 10:35:27: %ASA-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client Outside:192.168.100.132/50231
Mar 21 2014 10:35:30: %ASA-6-725002: Device completed SSL handshake with client Outside:192.168.100.132/50231
HTTP: processing ASDM request [/admin/login_banner] with cookie-based authentication (aware_webvpn_conf.re2c:434)
HTTP: check admin session. Cookie index [-1][0]
HTTP: client certificate required = 0
Mar 21 2014 10:35:30: %ASA-6-725007: SSL session with client Outside:192.168.100.132/50231 terminated.
Mar 21 2014 10:35:30: %ASA-6-302014: Teardown TCP connection 1967 for Outside:192.168.100.132/50231 to identity:172.18.13.2/443 duration 0:00:03 bytes 866 TCP Reset-O
Mar 21 2014 10:35:30: %ASA-7-609002: Teardown local-host Outside:192.168.100.132 duration 0:00:03
Mar 21 2014 10:35:30: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.132/50231 to 172.18.13.2/443 flags FIN ACK  on interface Outside
Mar 21 2014 10:35:30: %ASA-7-710005: TCP request discarded from 192.168.100.132/50231 to Outside:172.18.13.2/443
Mar 21 2014 10:35:30: %ASA-7-609001: Built local-host Outside:192.168.100.132
Mar 21 2014 10:35:30: %ASA-6-302013: Built inbound TCP connection 1968 for Outside:192.168.100.132/50232 (192.168.100.132/50232) to identity:172.18.13.2/443 (172.18.13.2/443)
Mar 21 2014 10:35:30: %ASA-6-725001: Starting SSL handshake with client Outside:192.168.100.132/50232 for TLSv1 session.
Mar 21 2014 10:35:30: %ASA-6-725003: SSL client Outside:192.168.100.132/50232 request to resume previous session.
Mar 21 2014 10:35:30: %ASA-6-725002: Device completed SSL handshake with client Outside:192.168.100.132/50232
HTTP: processing ASDM request [/admin/version.prop] with cookie-based authentication (aware_webvpn_conf.re2c:434)
HTTP: check admin session. Cookie index [-1][0]
HTTP: client certificate required = 0
Mar 21 2014 10:35:30: %ASA-6-725007: SSL session with client Outside:192.168.100.132/50232 terminated.
Mar 21 2014 10:35:31: %ASA-6-302014: Teardown TCP connection 1968 for Outside:192.168.100.132/50232 to identity:172.18.13.2/443 duration 0:00:00 bytes 367 TCP Reset-O
Mar 21 2014 10:35:31: %ASA-7-609002: Teardown local-host Outside:192.168.100.132 duration 0:00:00
Mar 21 2014 10:35:31: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.132/50232 to 172.18.13.2/443 flags FIN ACK  on interface Outside
Mar 21 2014 10:35:31: %ASA-7-710005: TCP request discarded from 192.168.100.132/50232 to Outside:172.18.13.2/443
Mar 21 2014 10:35:31: %ASA-7-609001: Built local-host Outside:192.168.100.132
Mar 21 2014 10:35:31: %ASA-6-302013: Built inbound TCP connection 1969 for Outside:192.168.100.132/50233 (192.168.100.132/50233) to identity:172.18.13.2/443 (172.18.13.2/443)
Mar 21 2014 10:35:31: %ASA-6-725001: Starting SSL handshake with client Outside:192.168.100.132/50233 for TLSv1 session.
Mar 21 2014 10:35:31: %ASA-6-725003: SSL client Outside:192.168.100.132/50233 request to resume previous session.
Mar 21 2014 10:35:31: %ASA-6-725002: Device completed SSL handshake with client Outside:192.168.100.132/50233
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
Mar 21 2014 10:35:31: %ASA-6-113012: AAA user authentication Successful : local database : user = myusername
Mar 21 2014 10:35:31: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = myusername
Mar 21 2014 10:35:31: %ASA-6-113008: AAA transaction status ACCEPT : user = myusername
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
Mar 21 2014 10:35:31: %ASA-6-611101: User authentication succeeded: Uname: myusername
Mar 21 2014 10:35:31: %ASA-6-605005: Login permitted from 192.168.100.132/50233 to Outside:172.18.13.2/https for user "myusername"
Resetting 0.0.0.0's numtries
HTTP: net_handle->standalone_client [1]
HTTP: start admin session
HTTP: Standalone authentication OK
HTTP: Idle timeout: 10
HTTP: Session timeout: 10
HTTP: Authentication server group: LOCAL
HTTP: authorization not required
HTTP: service-type attribute: 0
HTTP: privilege attribute: 15
HTTP: session 5AD6AF@20480@3EEB@D661B91AE806B18DEABA563C726891F2516F3C2B
HTTP: create new admin session A5AD6AF@20480@3EEB@D661B91AE806B18DEABA563C726891F2516F3C2B
HTTP: processing ASDM request [/admin/version.prop] with cookie-based authentication (aware_webvpn_conf.re2c:434)
HTTP: check admin session. Cookie index [2][acfa1178]
HTTP: Admin session cookie [A5AD6AF@20480@3EEB@D661B91AE806B18DEABA563C726891F2516F3C2B]
HTTP: Admin session idle-timeout reset
HTTP: session verified =  [1]
HTTP: username = [myusername], privilege = [15]
HTTP: processing GET URL '/admin/version.prop' from host 192.168.100.132
Mar 21 2014 10:35:31: %ASA-6-725007: SSL session with client Outside:192.168.HTTP: user already authenticated, bypass authentication
100.132/50233 terminated.
Mar 21 2014 10:35:35: %ASA-6-302014: Teardown TCP connection 1969 for Outside:192.168.100.132/50233 to identity:172.18.13.2/443 duration 0:00:00 bytes 2367 TCP Reset-O
Mar 21 2014 10:35:35: %ASA-7-609002: Teardown local-host Outside:192.168.100.132 duration 0:00:00
Mar 21 2014 10:35:35: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.132/50233 to 172.18.13.2/443 flags FIN ACK  on interface Outside
Mar 21 2014 10:35:35: %ASA-7-710005: TCP request discarded from 192.168.100.132/50233 to Outside:172.18.13.2/443
Mar 21 2014 10:35:35: %ASA-7-609001: Built local-host Outside:192.168.100.132
Mar 21 2014 10:35:35: %ASA-6-302013: Built inbound TCP connection 1970 for Outside:192.168.100.132/50234 (192.168.100.132/50234) to identity:172.18.13.2/443 (172.18.13.2/443)
Mar 21 2014 10:35:35: %ASA-6-725001: Starting SSL handshake with client Outside:192.168.100.132/50234 for TLSv1 session.
Mar 21 2014 10:35:35: %ASA-6-725003: SSL client Outside:192.168.100.132/50234 request to resume previous session.
Mar 21 2014 10:35:35: %ASA-6-725002: Device completed SSL handshake with client Outside:192.168.100.132/50234
HTTP: sending file: version.prop, length: 109
HTTP: processing ASDM request [/admin/pdm.sgz] with cookie-based authentication (aware_webvpn_conf.re2c:434)
HTTP: check admin session. Cookie index [2][acfa1178]
HTTP: Admin session cookie [A5AD6AF@20480@3EEB@D661B91AE806B18DEABA563C726891F2516F3C2B]
HTTP: Admin session idle-timeout reset
HTTP: session verified =  [1]
HTTP: username = [myusername], privilege = [15]
HTTP: processing GET URL '/admin/pdm.sgz' from host 192.168.100.132
HTTP: user already authenticated, bypass authentication
HTTP: sending file: pdm.sgz, length: 20471356

Here's some additional information that might be helpful:

ASA# show ver

Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.1(4)

Compiled on Mon 16-Sep-13 15:28 by builders
System image file is "disk0:/asa913-k8.bin"

ASA# show run asdm
asdm image disk0:/asdm-714.bin
no asdm history enable

ASA# show run all ssl
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1
ssl certificate-authentication fca-timeout 2

ASA# show run http
http server enable
http server idle-timeout 10
http server session-timeout 10
http 192.168.100.0 255.255.255.0 Outside
http 192.168.101.0 255.255.255.0 Outside
http 192.168.13.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.252 management

ASA# show asp table socket
Protocol  Socket    State      Local Address                                Foreign Address
SSL       0000c778  LISTEN     172.18.13.2:443                              0.0.0.0:*
SSL       0001e0e8  LISTEN     192.168.1.1:443                              0.0.0.0:*
TCP       00020128  LISTEN     172.18.13.2:22                               0.0.0.0:*
TCP       00033d58  LISTEN     192.168.1.1:22                               0.0.0.0:*
SSL       001e1168  LISTEN     172.20.13.1:443                              0.0.0.0:*
TCP       001e9b18  LISTEN     172.20.13.1:22                               0.0.0.0:*

Here's the ASA's current config:

ASA# show run
: Saved
:
ASA Version 9.1(3)
!
hostname ASA
domain-name mynet.net
enable password XXX encrypted
names
!
interface Ethernet0/0
 description Connection to WAN Router
 nameif Outside
 security-level 0
 ip address 172.18.13.2 255.255.255.252
!
interface Ethernet0/1
 description Connection to VoIP Switch
 nameif Inside
 security-level 100
 ip address 172.20.13.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description OOB Management Interface
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.252
!

boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name mynet.net
same-security-traffic permit inter-interface
access-list Outside_access_in extended permit ip any any log disable
access-list Outside_access_in extended deny ip any any log
access-list Inside_access_in extended permit ip any any log disable
access-list Inside_access_in extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 2 burst-size 2
icmp permit any Outside
icmp permit any Inside
icmp permit any management
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
!
router eigrp 80
 no auto-summary
 network 172.18.13.0 255.255.255.252
 network 172.20.13.0 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 172.18.13.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http server idle-timeout 10
http server session-timeout 10
http 192.168.100.0 255.255.255.0 Outside
http 192.168.101.0 255.255.255.0 Outside
http 192.168.13.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.252 management
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 10
ssh 192.168.100.0 255.255.255.0 Outside
ssh 192.168.101.0 255.255.255.0 Outside
ssh 192.168.13.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.252 management
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 10
dhcpd address 192.168.1.2-192.168.1.2 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1
username myusername password XXX encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ccbbb728ccb39e15a49e6c2e21a568a8
: end
ASA#

I manage six Cisco ASA 5510 firewalls spread across my network.  All of my firewalls are running the same software (asa913-k8.bin/asdm-714.bin).  I'm able to remotely administrate all of them using this workstation (meaning my browser, OS, Java, etc. are working just fine).

I've attached a drawing to better describe my infrustructure.

Problem summary
---I'm NOT able to administrate the red firewall via ASDM or HTTPS from the blue laptop.

From the blue laptop, I'm able to administrate all of the green firewalls via HTTPS and ASDM.
From the blue laptop, I'm able to to SSH to all firewalls.
From the purple laptop, I'm able to administrate the red firewall via HTTPS, ASDM, and SSH.

Thanks in advance,

Rob

Everyone's tags (1)
8 REPLIES
Hall of Fame Super Silver

The line:Device chooses

The line:

Device chooses cipher : DES-CBC3-SHA for the SSL session with client Outside:192.168.100.132/50226

is alarming. If your browser and subsequent ASDM session is trying to kickoff over DES that generally won't work because most modern browsers won't accept that weak algorithm.

I don't know why it did that though since you have "ssl encryption 3des-sha1 aes128-sha1 aes256-sha1".

Can you verify you have activated the 3DES-AES license on your ASA - "show ver | i 3DES-AES"?

Rob
Community Member

Hello Marvin,Here's the

Hello Marvin,

Here's the output from "show ver | inc 3DES-AES":

 

Encryption-3DES-AES     : Enabled     perpetual

 

Any other ideas?

 

Thanks in advance,

 

Rob

Hall of Fame Super Silver

That looks correct. I'm

That looks correct. I'm stumped. I double checked what you have, your diagram and problem description. The configuration seems correct and I would expect it to work.

That weak cipher indication in the debug log is perplexing me. The fact that your configuration says three strong ciphers only and yet the debug indicating a weak one is chosen is the only anomaly jumping out at me. Yet the same client negotiates fine with other ASAs and other clients work fine with that ASA (albeit coming in via a different interface).

I'd suggest going down the rabbit hole of mucking with cipher suite order in IE but the fact that it's working on other ASAs from your blue laptop makes me think it's ASA-related and not the laptop. (Of course you could argue against the same point from the perspective that the red ASA is manageable from the purple laptop.)

it's a long shot but you might try flushing your Java temporary files on the blue laptop. 

Rob
Community Member

Hello Marvin,I figured my

Hello Marvin,

I figured my problem out.  I adjusted the outside interface MTU from 1,500 to 1,416.

I'm using encrypted GRE tunnels across my WAN.  The encapsulation reduces the available MTU payload.  I believe/believed that all network devices would dynamically adjust their MTU.  Apparently, the ASA doesn't negotiate its MTU (?).  I suspect my SSH was working properly because it never filled the payload portion of my packets.

Thanks for your time in investigating my problem,

Rob

Hall of Fame Super Silver

Well that's certainly a non

Well that's certainly a non-obvious root cause. We do often have to adjust MTU for things going though the firewall like 3rd party VPN connections. I've not had occassion to have to do it ON the firewall though.

Glad to know you figured it out.

Anonymous
N/A

Just for completeness sake, I

Just for completeness sake, I am adding an additional solution into this older thread. I had the same issue today with an ASA responding to a client ssl cipher proposal with a single cipher, "DES-CBC-SHA".. Despite being configured for 6 much more secure ciphers.

I ran a "no ssl encryption xxx-xxx xxx-xxx xxx-xxx xxx-xxx" command on the ASA, and then pasted the ssl cipher config line right back in and saved the config, and my ASDM config started working again. 

Russ

Hall of Fame Super Silver

That's good to know. Thanks

That's good to know. Thanks for the new information.

Did you note which release that one was running?

Anonymous
N/A

ASA Version: 9.1(7)16ASDM

ASA Version: 9.1(7)16
ASDM Version: 7.6(2)150

Russ

3975
Views
5
Helpful
8
Replies
CreatePlease to create content