Ssl handshake failure – Cisco ASA 5505 User Manual

Page 1021

Advertising
background image

48-39

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 48 Configuring the Cisco Phone Proxy

Troubleshooting the Phone Proxy

SSL Handshake Failure

Problem

The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in

the ASA syslogs:

%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl handshake failure

%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_CERTIFICATE Reason: no certificate

returned

%ASA-6-725006: Device failed SSL handshake with outside client:72.146.123.158/30519

%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate

certificate serial number: 62D06172000000143FCC, subject name:

cn=CP-7962G-SEP002155554502,ou=EVVBU,o=Cisco Systems Inc.

%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to

validate chain.

Solution

Verify that all required certificates are imported into the ASA so that the TLS handshake will succeed.

Step 1

Determine which certificates are installed on the ASA by entering the following command:

hostname# show running-config crypto

Additionally, determine which certificates are installed on the IP phones. See

Debugging

Information from IP Phones, page 48-31

for information about checking the IP phone to determine

if it has MIC installed on it.

Step 2

Verify that the list of installed certificates contains all required certificates for the phone proxy.

See

Table 48-2

,

Certificates Required by the Security Appliance for the Phone Proxy

, for

information.

Step 3

Import any missing certificates onto the ASA. See also

Importing Certificates from the Cisco UCM,

page 48-15

.

Problem

The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in

the ASA syslogs:

%ASA-6-725001: Starting SSL handshake with client dmz:171.169.0.2/53097 for TLSv1

session.

%ASA-7-725010: Device supports the following 1 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-SHA

%ASA-7-725008: SSL client dmz:171.169.0.2/53097 proposes the following 2 cipher(s).

%ASA-7-725011: Cipher[1] : AES256-SHA

%ASA-7-725011: Cipher[2] : AES128-SHA

%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

%ASA-6-725006: Device failed SSL handshake with dmz client:171.169.0.2/53097

Solution

the SSL encryption method might not be set correctly. Set the correct ciphers by completing the

following procedure:

Step 1

To see the ciphers being used by the phone proxy, enter the following command:

hostname# show run all ssl

Step 2

To add the required ciphers, enter the following command:

hostname(config)# ssl encryption

The default is to have all algorithms available in the following order:

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals