windows 7 無法打開ASDM和 ASA SSL ***首頁
用火狐瀏覽器報錯如上圖所示:
背景介紹
在ASA上配個SSL *** 或者起個ASDM管理界面,費了半天勁,IE和Firefox瀏覽器裏出來的是無法訪問,一遍遍查配置,沒問題啊,再試試,還是無法訪問,怎麼辦,往下看。
拓撲
排錯
碰到這種情況,排錯思路如下,開logging,看看IE和ASA哥倆都聊什麼了。
ciscoasa(config)#loggingbuffered debugging開啓debug級別的log記錄
ciscoasa(config)#loggingbuffer-size 1048576把log的buffer調大,要不寄存器會被沖刷
ciscoasa(config)#loggingon
這個時候我們重新用win7的IE訪問ASA首頁,然後在ASA敲show logging
%ASA-7-609002: Teardown local-host outside:10.1.1.1 duration0:01:05
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration 0:01:05
%ASA-6-725007: SSL session with client outside:10.1.1.1/1084 terminated.
%ASA-7-609001: Built local-host outside:10.1.1.2
%ASA-7-609001: Built local-host identity:10.1.1.10
%ASA-6-302013: Built inbound TCP connection 14 for outside:10.1.1.2/49177(10.1.1.2/49177) to identity:10.1.1.10/443 (10.1.1.10/443)
%ASA-6-725001: Starting SSL handshake with client outside:10.1.1.2/49177 forTLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client outside:10.1.1.2/49177 proposes the following 8cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLOReason: no shared cipher
%ASA-6-302014: Teardown TCP connection 14 for outside:10.1.1.2/49177 toidentity:10.1.1.10/443 duration 0:00:00 bytes 7 TCP Reset by appliance
%ASA-7-609002: Teardown local-host outside:10.1.1.2 duration 0:00:00
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration 0:00:00
看到用紅色字體標出來的那行了嗎,是雙方的ssl加密方法不匹配,既然IE看不懂ASA的加密方式,那咱們就讓ASA多幾種加密方式,先看看ASA會說什麼。
cisco(config)#showssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
看到了吧,ASA只會說des-sha1這種鳥文,不多說,讓ASA學外語
ciscoasa(config)# ssl encryption3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
如果當你敲完上面的命令^這個東西出來了,看看ASA的license吧
cisco(config)#show version
Licensed features for this platform:
Maximum Physical Interfaces :Unlimited perpetual
Maximum VLANs : 100 perpetual
InsideHosts : Unlimited perpetual
Failover : Active/Active perpetual
***-DES : Enabled perpetual
***-3DES-AES : Disabled perpetual
SecurityContexts :5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnectEssentials : Disabled perpetual
Other ***Peers : 5000 perpetual
Total ***Peers :0 perpetual
SharedLicense : Enabled perpetual
AnyConnect forMobile : Enabled perpetual
AnyConnect for Cisco *** Phone :Enabled perpetual
Advanced Endpoint Assessment :Enabled perpetual
UC Phone ProxySessions :10 perpetual
Total UC ProxySessions :10 perpetual
Botnet TrafficFilter : Enabled perpetual
Intercompany Media Engine :Enabled perpetual
沒有3des的license,咋辦?點下面的連接申請個3des的license,免費的
https://cisco.com/go/license
把序列號填進去,一會cisco就給你郵箱發郵件了,把郵件裏的key在ASA上激活
ciscoasa(config)# activation-key**** **** **** ****
激活之後,再讓ASA支持3des-sha1命令如下:
ciscoasa(config)#ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
好了,現在就可以了,彈出瞭如下頁面:
總結
以上的總結問題的關鍵就是思路,瀏覽器打不開了,你也不知道爲什麼,怎麼辦,ASA上開log或者debug,你得搞明白IE和ASA聊了些啥話。