https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/3376065#M174819 <P>Hi Paolo,</P> <P>&nbsp;</P> <P>What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.</P> <P>&nbsp;</P> <P>I notice now that all anyconnect 3.1 release notes, software downloads are now gone from cisco.com</P> Tue, 01 May 2018 15:55:44 GMT Merlin-Cisco 2018-05-01T15:55:44Z https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/2782985#M174814 <P>Hi,</P> <P></P> <P>I'm attempting to get an ASA to PCI compliance so TLS v1.0 cannot be used.</P> <P></P> <P>When I disable TLS v1.0 and enable TLS v1.1, AnyConnect v3.x clients cannot connect</P> <P></P> <P>AnyConnect v4.x clients (which require a preimum license) can connect.&nbsp;</P> <P></P> <P>Is there a solution without having to upgrade to an AnyConnect Premium license?</P> <P></P> <P>Thanks.</P> <P></P> Tue, 12 Mar 2019 06:54:15 GMT https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/2782985#M174814 lcaruso 2019-03-12T06:54:15Z https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/2782986#M174815 <P>It's not a premium license that you need. For AnyConnect 4 you "only" need the AnyConnect Plus license which is not&nbsp;as expensive as the older premium licenses were. <A href="http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf">More&nbsp;details in the AC ordering guide</A>.</P> Tue, 17 Nov 2015 18:17:34 GMT https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/2782986#M174815 Karsten Iwen 2015-11-17T18:17:34Z https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/2782987#M174816 <P>Hi Larry,</P> <P>&nbsp;</P> <P>TLS v1.1 is not supported by the Anyconnect client v3.x . For you will have role back to TLS v1.0.</P> <P>&nbsp;</P> <P><SPAN style="font-family: 'Times New Roman',serif;">&nbsp;</SPAN></P> <P><SPAN style="font-family: 'Times New Roman',serif;">Regards,</SPAN></P> <P><SPAN style="font-family: 'Times New Roman',serif;">Gurjot Singh</SPAN></P> <P><SPAN style="font-family: 'Times New Roman',serif;">Cisco TAC</SPAN></P> Wed, 18 Nov 2015 05:10:54 GMT https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/2782987#M174816 lcaruso 2015-11-18T05:10:54Z https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/2782988#M174817 <P>Thanks for the link.</P> Wed, 18 Nov 2015 05:11:21 GMT https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/2782988#M174817 lcaruso 2015-11-18T05:11:21Z https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/3350254#M174818 <P>That is wrong. See Wireshark capture of Client Hello from AnyConnect 3.1.</P> <P>&nbsp;</P> <P>TLSv1.1 Record Layer: Handshake Protocol: Client Hello<BR /> Content Type: Handshake (22)<BR /> <STRONG>Version: TLS 1.1 (0x0302)</STRONG><BR /> Length: 99<BR /> Handshake Protocol: Client Hello<BR /> Handshake Type: Client Hello (1)<BR /> Length: 95<BR /> Version: TLS 1.1 (0x0302)<BR /> Random: 5aad3dc8639ca8ea4944bc71e363602801a4106d5621fe67...<BR /> Session ID Length: 0<BR /> Cipher Suites Length: 14<BR /> Cipher Suites (7 suites)<BR /> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)<BR /> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)<BR /> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)<BR /> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)<BR /> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)<BR /> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)<BR /> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)<BR /> Compression Methods Length: 1<BR /> Compression Methods (1 method)<BR /> Extensions Length: 40<BR /> Extension: status_request (len=5)<BR /> Extension: supported_groups (len=8)<BR /> Extension: ec_point_formats (len=2)<BR /> Extension: SessionTicket TLS (len=0)<BR /> Extension: extended_master_secret (len=0)<BR /> Extension: renegotiation_info (len=1)</P> Sat, 17 Mar 2018 16:19:49 GMT https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/3350254#M174818 paolo bevilacqua 2018-03-17T16:19:49Z https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/3376065#M174819 <P>Hi Paolo,</P> <P>&nbsp;</P> <P>What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.</P> <P>&nbsp;</P> <P>I notice now that all anyconnect 3.1 release notes, software downloads are now gone from cisco.com</P> Tue, 01 May 2018 15:55:44 GMT https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/3376065#M174819 Merlin-Cisco 2018-05-01T15:55:44Z https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/3376068#M174820 <P><EM>What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.</EM></P> <P>&nbsp;</P> <P>No. AnyConnect, any version, do&nbsp;adapt to the Windows version running. Newest OS versions prevent obsolete TLS versions to be negotiated.</P> Tue, 01 May 2018 16:08:10 GMT https://community.cisco.com/t5/network-security/tls-v1-1-vs-anyconnect-client-v3-x/m-p/3376068#M174820 paolo bevilacqua 2018-05-01T16:08:10Z