cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

290
Views
0
Helpful
4
Replies
Highlighted
Beginner
Beginner

CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

recently setup anyconnect on CSR1000v and it worked with local credentials . 

 

All of sudden, Anyconnect VPN is no longer working.

 

CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

CRYPTO_OPSSL: Set cipher specs to mask 0x00002080 for version 16

CRYPTO_OPSSL: Common Criteria is disabled on this session.Disabling Common Criteria mode functionality in CiscoSSL on SSL CTX 0x7F6C7DDB9850

 

Those kind of logs I noticed when I did debug for ssl . I do see logs that user credentials are validated and success. but, session got closed automatically.

 

show version:-

Cisco IOS XE Software, Version 16.12.01a
Cisco IOS Software [Gibraltar], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.1a, RELEASE SOFTWARE (fc2)

Could someone how can this be fixed . Thank you

Everyone's tags (1)
4 REPLIES 4
Highlighted
Hall of Fame Guru

Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

What version of AnyConnect are your clients using?

Highlighted
Beginner
Beginner

Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

Hi Marvin,Thank you 

 

Anyconnect version is 4.7.04056

 

I had configured everything as stated in the link :- https://community.cisco.com/t5/security-documents/configure-sslvpn-on-cisco-cloud-services-router-1000v-csr1000v/ta-p/3156679

 

It worked good with local credentials. It all started after I executed following changes:-

 

Working good with the following :-

aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network anyconnectvpn local

 

crypto ssl profile anyconnect-profile
match policy anyconnect-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list anyconnectvpn anyconnect-auth-policy
authentication remote user-pass

 

 

changes performed:-

 

ldap attribute-map ldap-username-map
map type sAMAccountName username

 

ldap server <Server1>
ipv4 <internalIP>
attribute map ldap-username-map
bind authenticate root-dn CN=Username,OU=XXX,DC=XXX,DC=XXX password
base-dn dc=XXX,dc=XXX

search-type nested

 

aaa group server ldap <servergroup>
server server1

 

aaa authentication login sslvpn group <servergroup> local   --> added group servergroup to authenticate using LDAP

 

as soon as We did this, authnetication success logs in debug messages. But, above reported logs and No valid certification authentication error at times on ANyconnect client.

 

Regards,

 



 

 

Highlighted
Hall of Fame Guru

Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

I don't see why those command would have had that effect. Unless somebody else can offer more insight, you might be best advised to open a TAC case.

Highlighted
Beginner
Beginner

Re: CSR1000v_CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling only TLS1.0

Sure , I will see if they can support Lab router as it's testing purpose before we go with BYOL.

 

I did factory-reset and reconfigured it. AnyconnectwAnyconnect with local credentials and same error recurred after we modified authentication method list to use LDAP group first .

 

Regards,

Durga Prasad