Skip to main content

 

 

Cisco Defense Orchestrator

ASA Fails to Reconnect to CDO After Reboot

If Cisco Defense Orchestrator (CDO) and your ASA do not connect after an ASA reboot, it may be because the ASA has fallen back to using an OpenSSL cipher suite that is not supported by CDO's Secure Device Connector (SDC). This troubleshooting topic tests for that case and provides remediation steps.

Symptoms

  • ASA reboots and CDO and the ASA fail to reconnect. CDO displays the message, "Failed to reconnect."
  • When attempting to onboard an ASA, CDO displays the message: "Certificate could not be retrieved for <ASA_IP_Address>"

Determine the OpenSSL Cipher Suite Used by your ASA

Use this procedure to identify the OpenSSL cipher suite being used by your ASA. If the cipher suite named in the command output is not in the list of supported cipher suites, the SDC doesn't support that cipher suite and you will need to update the cipher suites on your ASA.

  1. Open a console window on a computer that can reach the SDC.
  2. Connect to your SDC using SSH. You can log in as a regular user such as CDO or SDC or some other user you created. You don't need to be logged in as root.

Tip: To find your SDC IP address:

  1. Open CDO.
  2. From the user menu, select Secure Device Connectors.
  3. Click the SDC displayed in the table. The IP address of the SDC is displayed in the details pane for the device. 
  1. At the command prompt enter: openssl s_client -showcerts -connect ASA_IP_Address:443  
  2. Look for these lines in the command output.

New, TLSV1/SSLv3, Cipher is DES-CB3-SHA
or
SSL-Session:
    Protocol: TLSv1.2
    Cipher: DES-CB3-SHA

In this example, the cipher suite being used by the ASA is DES-CB3-SHA.

Cipher Suites Supported by CDO's Secure Device Connector

CDO's Secure Device Connector uses node.js which only accepts the latest and most secure ciphers. As a result, CDO's SDC only supports this list of ciphers:

  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • DHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA256
  • DHE-RSA-AES256-SHA256

If the cipher suite you use on your ASA is not in this list, SDC does not support it and you will need to update the cipher suite on your ASA.

Updating your ASA's Cipher Suite

To update the TLS cipher suites on an ASA:

  1. Connect to the ASA using SSH. 
  2. Once connected to the ASA, elevate your privileges to global configuration mode. Your prompt should look like this: asaname(config)#
  3. At the prompt, enter a command similar to this: 
ssl cipher tlsv1.2 custom "ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA256"

Note: The cipher suites this command configures your ASA to support are contained between quotes and after the word custom. In this command, the cipher suites specified begin with ECDHE-RSA-AES128-GCM-SHA256 and end with DHE-RSA-AES256-SHA256. When you enter the command on your ASA, remove any cipher suites you know your ASA will not support.

  1. After you submit the command, enter write memory at the prompt to save the local configuration. For example:

asaname(config)#write memory

  • Was this article helpful?