今天为一个客户调试一台ASA5520,基本功能都做完了,最后客户提出想建个×××远程管理其内网设备。哈哈,小KISS,眼看天色已晚,本想图个省事给他推荐了anyconnect,几条命令完事,结果事没省成,麻烦来了。。。。

把地球人都知道的那几条命令敲上去,把笔记本联到外网,打开IE输入地址,竟然。。。。没反应,汗!赶紧检查配置,没错啊;443端口,通的;版本,8.2没错;见鬼!

没办法,静下心来,开始debug。。。。

为简单起见,只抓取ssl***的debug到本地buffer

logging list buffer_debug level debugging class ssl    //定义logging列表

logging buffered buffer_debug   //开启buffer日志

logging buffer-size 40960       //增大点buffer空间

logging enable                  //全局开始日志功能

debug ssl 255                   //开启最高级别的SSL调试

重新再联一次,回到设备上调出日志

show logging

Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: list buffer_debug, 125 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 776 messages logged
%ASA-6-725001: Starting SSL handshake with client Internet:221.223.233.187/51218 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client Internet:221.223.233.187/51218 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-725001: Starting SSL handshake with client Internet:221.223.233.187/51219 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client Internet:221.223.233.187/51219 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

大家看看突出部分就知道了,简直要昏倒,这是哪家代理供的货啊,坑爹啊!

设备竟然默认只提供了一套加密/验证算法,还是最不靠谱的那种DES/SHA,我的win7/IE8试了8套算法也没匹配上,能连通才见鬼呢!

再次确认下

show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
    Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
    Enabled cipher order: des-sha1
    Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
    No SSL trust-points configured
Certificate authentication is not enabled

 

既然找到问题就好办,开始解决。很简单,给设备多上几套算法呗

ssl encryption aes128-sha1 aes256-sha1 3des-sha1 rc4-sha1

确认下

 sh ssl
     Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
     Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
     Enabled cipher order: aes128-sha1 aes256-sha1 3des-sha1 rc4-sha1
     Disabled ciphers: des-sha1 rc4-md5 null-sha1
     No SSL trust-points configured
     Certificate authentication is not enabled

再次联一下,呵呵,通了,搞定收工!