Cisco ASA Default SSL Broken

Just a note that out of the box, recent Cisco ASA hardware with new ASA software releases ships with broken SSL. This prevents the ASDM GUI (Advanced Security Device Manager) from functioning. To correct the problem, you must force the ASA to use the default SSL encryption methods. The problem is created when you have the following line in your ASA running configuration: ssl encryption des-sha1. This command disables the other more secure SSL ciphers that are now required for ASDM communication allowing only the weak des cipher (now considered insecure which breaks ASDM). Use commands like the following to fix the problem.

show ssl
show run ssl
no ssl encryption des-sha1
show ssl
show run ssl

As of ASA software version 9.1.x, the default SSL cipher list should be as follows (as output from “show ssl“). By default, I mean the cipher list corresponding to *no* “ssl encryption” commands visible in your ASA 9.1.x running config. If your list looks like this, ASDM will be allowed to communicate with your ASA. Standard ASDM configuration must still be applied, see official Cisco documentation for details.

Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
 Disabled ciphers: des-sha1 rc4-md5 null-sha1

Good luck with your Cisco ASDM solutions!

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in Networking and tagged , , , . Bookmark the permalink.

4 Responses to Cisco ASA Default SSL Broken

  1. Saji Thomas says:

    Thanks Tom.
    I had the same issue and had a doubt on SSL but your site confirmed it and ASDM works now.
    This video also explains it good:
    For someone who needs help, here is what I did (in my case asdm.bin file was already copied to the flash and crypto key was already generated):

    http server enable (enables http server)
    http inside (allows http from enter network)
    no ssl encryption des-sha1 (disables des-sha1 which is the main problem)
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 (enable other stronger encryption)


  2. Saji Thomas says:

    Oops the IP is not

  3. notesbytom says:

    Thanks for the comment Saji. I’m glad that this helped. It has happened to me multiple times with new ASA installs or starting over with a blank configuration.

  4. Saji Thomas says:

    “Thank you” Tom.
    By the way, I could not stop myself from posting this link also as it has the same issue addressed and helped me. May help someone else sometime too.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s