10-21-2013 05:34 PM
Hello,
I'm trying to configure clientless SSL VPN, but connection drops:
Oct 22 2013 04:12:18: %ASA-6-725001: Starting SSL handshake with client isp1:109.173.DDD.DD/55870 for TLSv1 session.
Oct 22 2013 04:12:18: %ASA-7-725010: Device supports the following 4 cipher(s).
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[1] : AES256-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[2] : DES-CBC3-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[3] : AES128-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[4] : DES-CBC-SHA
Oct 22 2013 04:12:18: %ASA-7-725008: SSL client isp1:109.173.DDD.DD/55870 proposes the following 8 cipher(s).
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[2] : AES256-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[3] : DHE-RSA-AES128-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[4] : DHE-DSS-AES128-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[5] : RC4-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[6] : RC4-MD5
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[7] : AES128-SHA
Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[8] : DES-CBC3-SHA
Oct 22 2013 04:12:18: %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client isp1:109.173.DDD.DD/55870
Oct 22 2013 04:12:18: %ASA-6-725006: Device failed SSL handshake with client isp1:109.173.DDD.DD/55870
Oct 22 2013 04:12:18: %ASA-6-302014: Teardown TCP connection 17237 for isp1:109.173.DDD.DD/55870 to identity:77.73.DDD.DDD/443 duration 0:00:00 bytes 2926 TCP Reset by appliance
I have not got
%ASA-7-725014 SSL lib error. Function: function Reason: reason
which is very often in such cases.
border1# sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Configured for self-signed certificate generation.
border1# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: ca004e52
Certificate Usage: Signature
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=border1.domain.local
cn=border1
Subject Name:
hostname=border1.domain.local
cn=border1
Validity Date:
start date: 18:38:38 MSK Oct 21 2013
end date: 18:38:38 MSK Oct 19 2023
Associated Trustpoints: ASDM_TrustPoint0
border1# show run ssl
ssl encryption aes256-sha1 3des-sha1 aes128-sha1 des-sha1
ssl trust-point ASDM_TrustPoint0 isp1
ASDM on "inside" interface works fine.
04-14-2015 01:03 AM
To bring this from the dead cause i had a similar problem...
The problem is that the key was created for usage-keys | signature purpose
Certificate Usage: Signature
the key needs to be either general-keys or encryption.
Look at crypto key generate rsa
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2237673
usage-keys
Generates two key pairs, one for signature use and one for encryption use. This implies that two certificates for the corresponding identity are required.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide