cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2037
Views
10
Helpful
4
Replies

ASA 5585 ECDHE cipher support?

jmorrison_bcp
Beginner
Beginner

Does the ASA 5585 support ECDHE ciphers like ECDHE-RSA-AES256-GCM-SHA384?

 

I get error message trying to enable them, and I don't see them available:

sho ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
  DHE-RSA-AES256-SHA256 (tlsv1.2)
  AES256-SHA256 (tlsv1.2)
  DHE-RSA-AES128-SHA256 (tlsv1.2)
  AES128-SHA256 (tlsv1.2)
  DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  RC4-SHA (tlsv1)
  RC4-MD5 (tlsv1)
  DES-CBC-SHA (tlsv1)
  NULL-SHA (tlsv1)


 

Cisco Adaptive Security Appliance Software Version 9.4(4)8
Device Manager Version 7.6(1)

Compiled on Sun 16-Jul-17 23:27 PDT by builders
System image file is "disk0:/asa944-8-smp-k8.bin"
Config file at boot was "startup-config"

fwt1-asa5585-01 up 123 days 21 hours
failover cluster up 124 days 0 hours

Hardware:   ASA5585-SSP-40, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 2 CPUs (16 cores)
Internal ATA Compact Flash, 2048MB
BIOS Flash M25P32 @ 0x0, 4096KB

Encryption hardware device : Cisco ASA-5585 on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 3

Programmable device : Cisco CPLD revision 0x8
4 Replies 4

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

These ciphers were added in 9.4(1), but they are not active when the AnyConnect Essentials license is applied. Is that the case for your ASA?

Yes, anyconnect essentials is active.

 

So anyconnect disables it?

 

It looks bad on SSL scans mainly.

Yes, but you should have AnyConnect PLUS licenses. Then you can replace your AnyConnect Essentials with AnyConnect PLUS. With just disabling it you lose your VPN-capabilities.

I know it's been three years but hoping you can still respond. I'm wondering whether to get the Anyconnect Plus or Apex license. According to the Anyconnect ordering guide, Suite B encryption algorithms are only supported in the Apex license. I don't see this listed for the Anyconnect Plus license.

 

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html

 

Or does this mean the ciphers will be available in the "show ssl ciphers" but not usable with Anyconnect when using the Plus license?

 

Thanks

Peter

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers