Solved: Thanks for the link.

lcaruso · ‎11-17-2015

Hi,

I'm attempting to get an ASA to PCI compliance so TLS v1.0 cannot be used.

When I disable TLS v1.0 and enable TLS v1.1, AnyConnect v3.x clients cannot connect

AnyConnect v4.x clients (which require a preimum license) can connect.

Is there a solution without having to upgrade to an AnyConnect Premium license?

Thanks.

Karsten Iwen · ‎11-17-2015

It's not a premium license that you need. For AnyConnect 4 you "only" need the AnyConnect Plus license which is not as expensive as the older premium licenses were. More details in the AC ordering guide.

View solution in original post

Karsten Iwen · ‎11-17-2015

It's not a premium license that you need. For AnyConnect 4 you "only" need the AnyConnect Plus license which is not as expensive as the older premium licenses were. More details in the AC ordering guide.

lcaruso · ‎11-17-2015

Thanks for the link.

lcaruso · ‎11-17-2015

Hi Larry,

TLS v1.1 is not supported by the Anyconnect client v3.x . For you will have role back to TLS v1.0.

Regards,

Gurjot Singh

Cisco TAC

paolo bevilacqua · ‎03-17-2018

That is wrong. See Wireshark capture of Client Hello from AnyConnect 3.1.

TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 99
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 95
Version: TLS 1.1 (0x0302)
Random: 5aad3dc8639ca8ea4944bc71e363602801a4106d5621fe67...
Session ID Length: 0
Cipher Suites Length: 14
Cipher Suites (7 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 40
Extension: status_request (len=5)
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Extension: SessionTicket TLS (len=0)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)

Merlin-Cisco · ‎05-01-2018

Hi Paolo,

What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.

I notice now that all anyconnect 3.1 release notes, software downloads are now gone from cisco.com

paolo bevilacqua · ‎05-01-2018

What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.

No. AnyConnect, any version, do adapt to the Windows version running. Newest OS versions prevent obsolete TLS versions to be negotiated.

TLS v1.1 vs AnyConnect client v3.x