Cisco Systems ASA5515K9, ASA 5500 Monitoring the TLS Proxy

49-15

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter49 Configuring the TLS Proxy for Encrypted Voice Inspection

Monitoring the TLS Proxy

Monitoring the TLS Proxy

You can enable TLS proxy debug flags along with SSL syslogs to debug TLS proxy connection

problems. For example, using the following commands to enable TLS proxy-related debug and syslog

output only:

hostname(config)# debug inspect tls-proxy events

hostname(config)# debug inspect tls-proxy errors

hostname(config)# logging enable

hostname(config)# logging timestamp

hostname(config)# logging list loglist message 711001

hostname(config)# logging list loglist message 725001-725014

hostname(config)# logging list loglist message 717001-717038

hostname(config)# logging buffer-size 1000000

hostname(config)# logging buffered loglist

hostname(config)# logging debug-trace

The following is sample output reflecting a successful TLS proxy session setup for a SIP phone:

hostname(config)# show log

Apr 17 2007 23:13:47: %ASA-6-725001: Starting SSL handshake with client

outside:133.9.0.218/49159 for TLSv1 session.

Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Set up proxy for Client

outside:133.9.0.218/49159 <-> Server inside:195.168.2.201/5061

Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Using trust point 'local_ccm' with the

Client, RT proxy cbae1538

Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Waiting for SSL handshake from Client

outside:133.9.0.218/49159.

Apr 17 2007 23:13:47: %ASA-7-725010: Device supports the following 4 cipher(s).

Apr 17 2007 23:13:47: %ASA-7-725011: Cipher[1] : RC4-SHA

Apr 17 2007 23:13:47: %ASA-7-725011: Cipher[2] : AES128-SHA

Apr 17 2007 23:13:47: %ASA-7-725011: Cipher[3] : AES256-SHA

Apr 17 2007 23:13:47: %ASA-7-725011: Cipher[4] : DES-CBC3-SHA

Apr 17 2007 23:13:47: %ASA-7-725008: SSL client outside:133.9.0.218/49159 proposes the

following 2 cipher(s).

Apr 17 2007 23:13:47: %ASA-7-725011: Cipher[1] : AES256-SHA

Apr 17 2007 23:13:47: %ASA-7-725011: Cipher[2] : AES128-SHA

Apr 17 2007 23:13:47: %ASA-7-725012: Device chooses cipher : AES128-SHA for the SSL

session with client outside:133.9.0.218/49159

Apr 17 2007 23:13:47: %ASA-7-725014: SSL lib error. Function: SSL23_READ Reason: ssl

handshake failure

Apr 17 2007 23:13:47: %ASA-7-717025: Validating certificate chain containing 1

certificate(s).

Apr 17 2007 23:13:47: %ASA-7-717029: Identified client certificate within certificate

chain. serial number: 01, subject name: cn=SEP0017593F50A8.

Apr 17 2007 23:13:47: %ASA-7-717030: Found a suitable trustpoint

_internal_ejw-sv-2_cn=CAPF-08a91c01 to validate certificate.

Apr 17 2007 23:13:47: %ASA-6-717022: Certificate was successfully validated. serial

number: 01, subject name: cn=SEP0017593F50A8.

Apr 17 2007 23:13:47: %ASA-6-717028: Certificate chain was successfully validated with

warning, revocation status was not checked.

Apr 17 2007 23:13:47: %ASA-6-725002: Device completed SSL handshake with client

outside:133.9.0.218/49159

Apr 17 2007 23:13:47: %ASA-6-725001: Starting SSL handshake with server

inside:195.168.2.201/5061 for TLSv1 session.

Apr 17 2007 23:13:47: %ASA-7-725009: Device proposes the following 2 cipher(s) to server

inside:195.168.2.201/5061

Apr 17 2007 23:13:47: %ASA-7-725011: Cipher[1] : AES128-SHA

Apr 17 2007 23:13:47: %ASA-7-725011: Cipher[2] : AES256-SHA

Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Generating LDC for client

'cn=SEP0017593F50A8', key-pair 'phone_common', issuer 'LOCAL-CA-SERVER', RT proxy cbae1538

Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Started SSL handshake with Server