Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1089
Views
0
Helpful
1
Replies

Changes in CBC ciphers and TLS

bvj197222
Level 1
Level 1

‎06-05-2020 03:32 AM

We're using Cisco ASAv 9.10 together witch Cisco Anyconnect 4.7 clients. Due to the Poodle voulnerability and other vulnerabilities I'm doing some changes in CBC ciphers, and we're turning off TLS 1/1.1, plus changing from Diffie-Hellman group2 to group14. Are there any preparations/changes that needs to be done on the Anyconnect clients prior to this?

0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎06-05-2020 04:15 AM

Hi,

You are running the minimum versions of ASA and AnyConnect to support the latest ciphers. Ensure you use DTLS 1.2 as this has the best performance.Running TLS 1.2 and DTLS 1.2 will ensure you are using the latest cipher AES-GCM.

 

If you run the command show vpn-sessiondb detail anyconnect you can confirm what ciphers you are currently using, before you make any changes.

 

Useful link for performance and scaling AnyConnect VPNs:-

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html#anc4

 

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card