abdullahjamali
asked on
Cisco ASA Upgrade issue
Hi Guys,
I have upgraded Cisco ASA 5505 firewall software to 9.1.7.(6) and ASDM 7.6.(1), after upgrade when I've tried to open firewall from ASDM then following error came up:
''This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://192.168.1.1 again. If this error persists, it is possible that this site uses an unsupported protocol. Please contact your site administrator''.
I have tried IE, Chrome and Firefox but still unable to access firewall using ASDM.
Telnet, putty and hyper-terminal connections are fine, Can someone help me to resolve this issue, thanks in advance.
Regards,
I have upgraded Cisco ASA 5505 firewall software to 9.1.7.(6) and ASDM 7.6.(1), after upgrade when I've tried to open firewall from ASDM then following error came up:
''This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://192.168.1.1 again. If this error persists, it is possible that this site uses an unsupported protocol. Please contact your site administrator''.
I have tried IE, Chrome and Firefox but still unable to access firewall using ASDM.
Telnet, putty and hyper-terminal connections are fine, Can someone help me to resolve this issue, thanks in advance.
Regards,
ASKER
Hi SIM50,
Thanks for your reply.
I don't have cipher sub command under SSL command, please find below the list of sub commands and switches that i have got.
Certificate-authentication
client-version
encryption
server-version
trust-point
Thanks,
Thanks for your reply.
I don't have cipher sub command under SSL command, please find below the list of sub commands and switches that i have got.
Certificate-authentication
client-version
encryption
server-version
trust-point
Thanks,
Please post output of
sh ssl
sh ssl
ASKER
Hi SIM50,
Thanks for your reply.
Please find below the output of sh ssl and ASA running configuration.
ciscoasa# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 dhe-aes128-
sha1 dhe-aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
ciscoasa# sh run
Serial Number: JMX142441UV
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.1(7)6
!
hostname ciscoasa
enable password EED9grHyw2/OSHzr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa917-6-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ebdf0b5c51b 33783ff1b7 764f620e99 2
: end
ciscoasa#
Regards,
Thanks for your reply.
Please find below the output of sh ssl and ASA running configuration.
ciscoasa# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 dhe-aes128-
sha1 dhe-aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
ciscoasa# sh run
Serial Number: JMX142441UV
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.1(7)6
!
hostname ciscoasa
enable password EED9grHyw2/OSHzr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa917-6-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ebdf0b5c51b
: end
ciscoasa#
Regards,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
HI SIM50,
Thanks for your quick reply.
The above 3des and aes commands needed activation key to execute the algorithm, I don't understand why it's asking for an activation key as I have got security plus license for this ASA 5505 hardware.
last command ''no ssl encryption des-sha1'' ran ok but still can't access firewall from ASDM.
Regards,
Thanks for your quick reply.
The above 3des and aes commands needed activation key to execute the algorithm, I don't understand why it's asking for an activation key as I have got security plus license for this ASA 5505 hardware.
last command ''no ssl encryption des-sha1'' ran ok but still can't access firewall from ASDM.
Regards,
You can get the license key for free from Cisco. Below are the steps.
Enter your CCO userid and password.
Click the “Continue to Product License Activation” link.
Click Get Other Licenses > IPS, Crypto, Other…
Select Security Products > Cisco ASA 3DES/AES License, click Next.
An email will be sent you with the ASA Activation key and instructions on how to apply the key.
After you install the license, rerun those commands for 3des and aes.
Enter your CCO userid and password.
Click the “Continue to Product License Activation” link.
Click Get Other Licenses > IPS, Crypto, Other…
Select Security Products > Cisco ASA 3DES/AES License, click Next.
An email will be sent you with the ASA Activation key and instructions on how to apply the key.
After you install the license, rerun those commands for 3des and aes.
ASKER
Hi SIM50,
Thanks a lot for helping me, your solution worked.
Regards,
Thanks a lot for helping me, your solution worked.
Regards,
no ssl cipher tlsv1