Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Clientless VPN SSL handshake failure

Hello,

I'm trying to configure clientless SSL VPN, but connection drops:

Oct 22 2013 04:12:18: %ASA-6-725001: Starting SSL handshake with client isp1:109.173.DDD.DD/55870 for TLSv1 session.

Oct 22 2013 04:12:18: %ASA-7-725010: Device supports the following 4 cipher(s).

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[1] : AES256-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[2] : DES-CBC3-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[3] : AES128-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[4] : DES-CBC-SHA

Oct 22 2013 04:12:18: %ASA-7-725008: SSL client isp1:109.173.DDD.DD/55870 proposes the following 8 cipher(s).

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[2] : AES256-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[3] : DHE-RSA-AES128-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[4] : DHE-DSS-AES128-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[5] : RC4-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[6] : RC4-MD5

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[7] : AES128-SHA

Oct 22 2013 04:12:18: %ASA-7-725011: Cipher[8] : DES-CBC3-SHA

Oct 22 2013 04:12:18: %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client isp1:109.173.DDD.DD/55870

Oct 22 2013 04:12:18: %ASA-6-725006: Device failed SSL handshake with client isp1:109.173.DDD.DD/55870

Oct 22 2013 04:12:18: %ASA-6-302014: Teardown TCP connection 17237 for isp1:109.173.DDD.DD/55870 to identity:77.73.DDD.DDD/443 duration 0:00:00 bytes 2926 TCP Reset by appliance

I have not got

%ASA-7-725014 SSL lib error. Function: function Reason: reason

which is very often in such cases.

Some "show" outputs:

border1# sh crypto ca trustpoints

Trustpoint ASDM_TrustPoint0:

    Configured for self-signed certificate generation.

border1# sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: ca004e52

  Certificate Usage: Signature

  Public Key Type: RSA (4096 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=border1.domain.local

    cn=border1

  Subject Name:

    hostname=border1.domain.local

    cn=border1

  Validity Date:

    start date: 18:38:38 MSK Oct 21 2013

    end   date: 18:38:38 MSK Oct 19 2023

  Associated Trustpoints: ASDM_TrustPoint0

border1# show run ssl

ssl encryption aes256-sha1 3des-sha1 aes128-sha1 des-sha1

ssl trust-point ASDM_TrustPoint0 isp1

ASDM on "inside" interface works fine.

1 REPLY
New Member

To bring this from the dead

To bring this from the dead cause i had a similar problem...

The problem is that the key was created for usage-keys | signature purpose

Certificate Usage: Signature

the key needs to be either general-keys or encryption.

Look at crypto key generate rsa

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2237673

usage-keys

Generates two key pairs, one for signature use and one for encryption use. This implies that two certificates for the corresponding identity are required.

938
Views
0
Helpful
1
Replies