Monday, June 28, 2021

Cisco ASA ASDM login issue on one interface

I've got a home lab set up with a pair of ASA 5510s in the middle splitting the lab up into WAN, LAN, and DMZ zones. I have each zone wide open for management via both SSH and ASDM/HTTPS. I can login using both methods from the WAN and LAN zones but only SSH is working from the DMZ.

When I try connecting with ASDM from the DMZ zone I immediately get the message "Unable to launch device manager from 10.10.2.253:8443"

Here's what I see in the log:

%ASA-6-302013: Built inbound TCP connection 4339 for DMZ:10.10.2.21/56135 (10.10.2.21/56135) to identity:10.10.2.253/8443 (10.10.2.253/8443) %ASA-6-725001: Starting SSL handshake with client DMZ:10.10.2.21/56135 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s). %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA %ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA %ASA-7-725011: Cipher[4] : AES128-SHA %ASA-7-725008: SSL client DMZ:10.10.2.21/56135 proposes the following 6 cipher(s). %ASA-7-725011: Cipher[1] : AES256-SHA %ASA-7-725011: Cipher[2] : DHE-RSA-AES256-SHA %ASA-7-725011: Cipher[3] : DHE-DSS-AES256-SHA %ASA-7-725011: Cipher[4] : AES128-SHA %ASA-7-725011: Cipher[5] : DHE-RSA-AES128-SHA %ASA-7-725011: Cipher[6] : DHE-DSS-AES128-SHA %ASA-7-725012: Device chooses cipher : DHE-RSA-AES256-SHA for the SSL session with client DMZ:10.10.2.21/56135 %ASA-7-725014: SSL lib error. Function: SSL3_GET_RECORD Reason: wrong version number %ASA-7-710005: TCP request discarded from 10.10.2.21/56135 to DMZ:10.10.2.253/8443 %ASA-7-710005: TCP request discarded from 10.10.2.21/56135 to DMZ:10.10.2.253/8443 %ASA-6-302014: Teardown TCP connection 4339 for DMZ:10.10.2.21/56135 to identity:10.10.2.253/8443 duration 0:00:00 bytes 937 TCP Reset by appliance

It seems clear that the issue is some kind of SSL error but I have the SSL settings set to "Any" so I'm not sure why this is still happening.

The device I'm trying to log in from is a Windows 10 laptop with a fresh install.

I can provide more info if needed, I'd love some help.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)