topic Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0 in Network Security

CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

NDP — Tue, 19 May 2020 13:45:46 GMT

recently setup anyconnect on CSR1000v and it worked with local credentials .

All of sudden, Anyconnect VPN is no longer working.

CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

CRYPTO_OPSSL: Set cipher specs to mask 0x00002080 for version 16

CRYPTO_OPSSL: Common Criteria is disabled on this session.Disabling Common Criteria mode functionality in CiscoSSL on SSL CTX 0x7F6C7DDB9850

Those kind of logs I noticed when I did debug for ssl . I do see logs that user credentials are validated and success. but, session got closed automatically.

show version:-

Cisco IOS XE Software, Version 16.12.01a
Cisco IOS Software [Gibraltar], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.1a, RELEASE SOFTWARE (fc2)

Could someone how can this be fixed . Thank you

Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

Marvin Rhoads — Tue, 19 May 2020 17:00:36 GMT

What version of AnyConnect are your clients using?

Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

NDP — Tue, 19 May 2020 17:31:37 GMT

Hi Marvin,Thank you

Anyconnect version is 4.7.04056

I had configured everything as stated in the link :- https://community.cisco.com/t5/security-documents/configure-sslvpn-on-cisco-cloud-services-router-1000v-csr1000v/ta-p/3156679

It worked good with local credentials. It all started after I executed following changes:-

Working good with the following :-

aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network anyconnectvpn local

crypto ssl profile anyconnect-profile
match policy anyconnect-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list anyconnectvpn anyconnect-auth-policy
authentication remote user-pass

changes performed:-

ldap attribute-map ldap-username-map
map type sAMAccountName username

ldap server <Server1>
ipv4 <internalIP>
attribute map ldap-username-map
bind authenticate root-dn CN=Username,OU=XXX,DC=XXX,DC=XXX password
base-dn dc=XXX,dc=XXX

search-type nested

aaa group server ldap <servergroup>
server server1

aaa authentication login sslvpn group <servergroup> local --> added group servergroup to authenticate using LDAP

as soon as We did this, authnetication success logs in debug messages. But, above reported logs and No valid certification authentication error at times on ANyconnect client.

Regards,

Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

Marvin Rhoads — Wed, 20 May 2020 03:33:23 GMT

I don't see why those command would have had that effect. Unless somebody else can offer more insight, you might be best advised to open a TAC case.

Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

NDP — Wed, 20 May 2020 03:57:46 GMT

Sure , I will see if they can support Lab router as it's testing purpose before we go with BYOL.

I did factory-reset and reconfigured it. AnyconnectwAnyconnect with local credentials and same error recurred after we modified authentication method list to use LDAP group first .

Regards,

Durga Prasad