cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1410
Views
5
Helpful
6
Replies
Enthusiast

TLS v1.1 vs AnyConnect client v3.x

Hi,

I'm attempting to get an ASA to PCI compliance so TLS v1.0 cannot be used.

When I disable TLS v1.0 and enable TLS v1.1, AnyConnect v3.x clients cannot connect

AnyConnect v4.x clients (which require a preimum license) can connect. 

Is there a solution without having to upgrade to an AnyConnect Premium license?

Thanks.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

It's not a premium license

It's not a premium license that you need. For AnyConnect 4 you "only" need the AnyConnect Plus license which is not as expensive as the older premium licenses were. More details in the AC ordering guide.

6 REPLIES 6
VIP Mentor

It's not a premium license

It's not a premium license that you need. For AnyConnect 4 you "only" need the AnyConnect Plus license which is not as expensive as the older premium licenses were. More details in the AC ordering guide.

Enthusiast

Thanks for the link.

Thanks for the link.

Enthusiast

Hi Larry,

Hi Larry,

 

TLS v1.1 is not supported by the Anyconnect client v3.x . For you will have role back to TLS v1.0.

 

 

Regards,

Gurjot Singh

Cisco TAC

Hall of Fame Master

That is wrong. See Wireshark capture of Client Hello from...

That is wrong. See Wireshark capture of Client Hello from AnyConnect 3.1.

 

TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 99
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 95
Version: TLS 1.1 (0x0302)
Random: 5aad3dc8639ca8ea4944bc71e363602801a4106d5621fe67...
Session ID Length: 0
Cipher Suites Length: 14
Cipher Suites (7 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 40
Extension: status_request (len=5)
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Extension: SessionTicket TLS (len=0)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)

Beginner

Re: That is wrong. See Wireshark capture of Client Hello from...

Hi Paolo,

 

What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.

 

I notice now that all anyconnect 3.1 release notes, software downloads are now gone from cisco.com

Highlighted
Hall of Fame Master

Re: That is wrong. See Wireshark capture of Client Hello from...

What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.

 

No. AnyConnect, any version, do adapt to the Windows version running. Newest OS versions prevent obsolete TLS versions to be negotiated.