Cisco ASA – Unable to launch Device Manager (ASDM) error

I’ve recently worked on hardening Cisco ASA’s where I was changing ssl cipher encryption suite from tlsv1.0 to tlsv1.2.  After changing to the higher ciphers I’ve noticed that firewall lost ASDM feature(assuming that ASDM is configured correctly and its been working prior). Moving ssl ciphers back to original state “medium” I have noticed that ASDM functionality is back.

That being said I knew that the issue resides with higher encryptions and somehow ASDM doesn’t support it. If you are having the same problem please follow the intro and instructions below.

 

!First verify existing ssl configuration

ASAv/pri/act# sh run all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium

When hardening your firewall i.e to tlsv1.2 you need to make sure that ssl server-version is set to be tlsv1.2.  That implies to anyconnect as well asdm. Basically any services where firewall acts as a server.

Now, once the server-version is configured the next step is to look into your cipher suite for tlsv1.2. As I mentioned before ASDM is working when ssl cipher is set for medium but not when its set for high.

Lets verify the difference betwen those two.

!Verify medium cipher suite list

  ASAv/pri/act# sh ssl ciphers medium
ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
AES256-GCM-SHA384 (tlsv1.2)
ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-SHA384 (tlsv1.2)
DHE-RSA-AES256-SHA256 (tlsv1.2)
AES256-SHA256 (tlsv1.2)
ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2)
ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2)
DHE-RSA-AES128-GCM-SHA256 (tlsv1.2)
AES128-GCM-SHA256 (tlsv1.2)
ECDHE-ECDSA-AES128-SHA256 (tlsv1.2)
ECDHE-RSA-AES128-SHA256 (tlsv1.2)
DHE-RSA-AES128-SHA256 (tlsv1.2)
AES128-SHA256 (tlsv1.2)
DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

!Verify high cipher suite list

  ASAv/pri/act# sh ssl ciphers high
ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
AES256-GCM-SHA384 (tlsv1.2)
ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-SHA384 (tlsv1.2)
DHE-RSA-AES256-SHA256 (tlsv1.2)
AES256-SHA256 (tlsv1.2)

Now we know the differece between the two but it still doesn’t tell us where the problem really resides. To find out what really happens we will need to leverage custom logging.

!change ssl cipher to high

ssl cipher tlsv1.2 high

!enable the logging commands for the SSL ciphers

logging class ssl buffer 7

loggin on

clear log buffer

!try to access to the ASA via ASDM. Once you get the error code go back to ASA cli and check the log

show log

Mar 27 2018 12:59:17: %ASA-6-302013: Built inbound TCP connection 11568 for management:10.255.4.197/55360 (10.255.4.197/55360) to identity:10.254.116.62/443 (10.254.116.62/443)
Mar 27 2018 12:59:17: %ASA-6-725001: Starting SSL handshake with client management:10.255.4.197/55360 to 10.254.116.62/443 for TLS session
Mar 27 2018 12:59:17: %ASA-7-725010: Device supports the following 8 cipher(s)
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[4] : AES256-GCM-SHA384
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[8] : AES256-SHA256
Mar 27 2018 12:59:17: %ASA-7-725008: SSL client management:10.255.4.197/55365 to 10.254.116.62/443 proposes the following 20 cipher(s)
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES128-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES128-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[3] : AES128-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[6] : ECDHE-ECDSA-AES128-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[7] : ECDHE-RSA-AES128-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[8] : AES128-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[9] : DHE-RSA-AES128-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[10] : DHE-DSS-AES128-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[12] : ECDHE-RSA-AES128-GCM-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[13] : AES128-GCM-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[15] : DHE-DSS-AES128-GCM-SHA256
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[16] : ECDHE-ECDSA-DES-CBC3-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[17] : ECDHE-RSA-DES-CBC3-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[18] : DES-CBC3-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[19] : EDH-RSA-DES-CBC3-SHA
Mar 27 2018 12:59:17: %ASA-7-725011: Cipher[20] : EDH-DSS-DES-CBC3-SHA
Mar 27 2018 12:59:17: %ASA-7-725014: SSL lib error. Function: ssl3_get_client_hello Reason: no shared cipher

As you can see during the handshake ASDM and Client PC is trying to negotiate and agree on cipher which will be used(see highlighted). Check happens from top down approach till one-to-one mapping is found so the connection can be established. If both parties cannot aggree on the cipher we will receive “no shared cipher” message from the log.

What is important to know that not all Client PC’s are equal and the propasal for your machine might be different. It is very important that you run the custom log to determine the difference.

At this point we can either create a custom cipher suite for tlsv1.2 or modify Client PC proposals(not covered in this post).

This custom cipher suite will include all of the high ciphers as well as couple high ones from the medium list.

!Following custom cipher suite will accomodate client and asa side

ssl cipher tlsv1.2 custom “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:” ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256″

!Connect to ASA via ASDM again. You should be able to access it now. Logging can confirm that as well.

Mar 27 2018 1:59:17: %ASA-6-725001: Starting SSL handshake with client management:10.255.4.200/58069 to 10.254.116.62/443 for TLS session
Mar 27 2018 1:59:17: %ASA-6-725003: SSL client management:10.255.4.200/58069 to 10.254.116.62/443 request to resume previous session
Mar 27 2018 1:59:17: %ASA-6-725002: Device completed SSL handshake with client management:10.255.4.200/58069 to 10.254.116.62/443 for TLSv1.2 session

If you want to force the Client PC to use ONLY high ciphers you will need to dig into java settings. Key word “java Cryptography Extension (JCE)”.

I hope this has been informative and feel free to drop a comment if you liked the material.  

if you still having issues let me know where are you getting stuck.

Thanks.

Tags:, ,

Add a Comment

Your email address will not be published. Required fields are marked *