Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1707
Views
0
Helpful
1
Replies

ASA Clientless VPN SSL handshake failure

Sergey Scherbina
Level 1
Level 1

‎10-21-2013 05:34 PM

Hello,

I'm trying to configure clientless SSL VPN, but connection drops:

Oct 22 2013 04:12:18: %ASA-6-725001: Starting SSL handshake with client isp1:109.173.DDD.DD/55870 for TLSv1 session.

Oct 22 2013 04:12:18: %ASA-7-725010: Device supports the following 4 cipher(s).

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[1] : AES256-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[2] : DES-CBC3-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[3] : AES128-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[4] : DES-CBC-SHA

Oct 22 2013 04:12:18: %ASA-7-725008: SSL client isp1:109.173.DDD.DD/55870 proposes the following 8 cipher(s).

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[2] : AES256-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[3] : DHE-RSA-AES128-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[4] : DHE-DSS-AES128-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[5] : RC4-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[6] : RC4-MD5

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[7] : AES128-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[8] : DES-CBC3-SHA

Oct 22 2013 04:12:18: %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client isp1:109.173.DDD.DD/55870

Oct 22 2013 04:12:18: %ASA-6-725006: Device failed SSL handshake with client isp1:109.173.DDD.DD/55870

Oct 22 2013 04:12:18: %ASA-6-302014: Teardown TCP connection 17237 for isp1:109.173.DDD.DD/55870 to identity:77.73.DDD.DDD/443 duration 0:00:00 bytes 2926 TCP Reset by appliance

I have not got 

%ASA-7-725014 SSL lib error. Function: function Reason: reason

which is very often in such cases.

Some "show" outputs:

border1# sh crypto ca trustpoints

Trustpoint ASDM_TrustPoint0:

    Configured for self-signed certificate generation.

border1# sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: ca004e52

  Certificate Usage: Signature

  Public Key Type: RSA (4096 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=border1.domain.local

    cn=border1

  Subject Name:

    hostname=border1.domain.local

    cn=border1

  Validity Date:

    start date: 18:38:38 MSK Oct 21 2013

    end   date: 18:38:38 MSK Oct 19 2023

  Associated Trustpoints: ASDM_TrustPoint0

border1# show run ssl

ssl encryption aes256-sha1 3des-sha1 aes128-sha1 des-sha1

ssl trust-point ASDM_TrustPoint0 isp1

ASDM on "inside" interface works fine.

Labels:
0 Helpful
1 Reply 1

Alex
Level 1
Level 1

‎04-14-2015 01:03 AM

To bring this from the dead cause i had a similar problem...

The problem is that the key was created for usage-keys | signature purpose

Certificate Usage: Signature

the key needs to be either general-keys or encryption.

Look at crypto key generate rsa

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2237673

usage-keys

Generates two key pairs, one for signature use and one for encryption use. This implies that two certificates for the corresponding identity are required.

0 Helpful
Customers Also Viewed These Support Documents