Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2550
Views
10
Helpful
4
Replies

ASA 5585 ECDHE cipher support?

jmorrison_bcp
Level 1
Level 1

‎12-10-2017 11:26 AM - edited ‎02-21-2020 06:56 AM

Does the ASA 5585 support ECDHE ciphers like ECDHE-RSA-AES256-GCM-SHA384?

 

I get error message trying to enable them, and I don't see them available:

sho ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
  DHE-RSA-AES256-SHA256 (tlsv1.2)
  AES256-SHA256 (tlsv1.2)
  DHE-RSA-AES128-SHA256 (tlsv1.2)
  AES128-SHA256 (tlsv1.2)
  DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  RC4-SHA (tlsv1)
  RC4-MD5 (tlsv1)
  DES-CBC-SHA (tlsv1)
  NULL-SHA (tlsv1)

 

Cisco Adaptive Security Appliance Software Version 9.4(4)8
Device Manager Version 7.6(1)

Compiled on Sun 16-Jul-17 23:27 PDT by builders
System image file is "disk0:/asa944-8-smp-k8.bin"
Config file at boot was "startup-config"

fwt1-asa5585-01 up 123 days 21 hours
failover cluster up 124 days 0 hours

Hardware:   ASA5585-SSP-40, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 2 CPUs (16 cores)
Internal ATA Compact Flash, 2048MB
BIOS Flash M25P32 @ 0x0, 4096KB

Encryption hardware device : Cisco ASA-5585 on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 3

Programmable device : Cisco CPLD revision 0x8
Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎12-10-2017 02:45 PM

These ciphers were added in 9.4(1), but they are not active when the AnyConnect Essentials license is applied. Is that the case for your ASA?

JOHN PAUL MORRISON
Level 1
Level 1
In response to Karsten Iwen

‎12-15-2017 10:33 AM

Yes, anyconnect essentials is active.

 

So anyconnect disables it?

 

It looks bad on SSL scans mainly.

0 Helpful

Karsten Iwen
VIP
VIP
In response to JOHN PAUL MORRISON

‎12-15-2017 10:39 AM

Yes, but you should have AnyConnect PLUS licenses. Then you can replace your AnyConnect Essentials with AnyConnect PLUS. With just disabling it you lose your VPN-capabilities.

0 Helpful

ptchuba
Level 1
Level 1
In response to Karsten Iwen

‎12-17-2020 07:41 AM

I know it's been three years but hoping you can still respond. I'm wondering whether to get the Anyconnect Plus or Apex license. According to the Anyconnect ordering guide, Suite B encryption algorithms are only supported in the Apex license. I don't see this listed for the Anyconnect Plus license.

 

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html

 

Or does this mean the ciphers will be available in the "show ssl ciphers" but not usable with Anyconnect when using the Plus license?

 

Thanks

Peter

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card