03-07-2022 08:49 AM - edited 03-07-2022 09:03 AM
Hello guys,
we need to disable tls 1.0 and 1.1 and move to tls 1.2, does this change impact all the active client to site vpn or the new parameter will be negotiated only for the new connections?
There will be downtime for this changing or it is fully transparent to user?
Our anyconnect version is 4,10.
Thanks
Regards
Solved! Go to Solution.
03-07-2022 08:52 AM
@MaErre21325 changing the TLS ciphers used on the FTD would impact the user connections. You change the FTD SSL/TLS setting using the Platform Settings. Guide here.
Any TLS settings on the FMC is for connections to the management Web GUI, therefore has no bearing on the anyconnect clients connecting to the FTD.
03-07-2022 09:09 AM
03-07-2022 09:11 AM - edited 03-07-2022 09:17 AM
@MaErre21325 I forgot to mention, from memory I think making the changes ended the users session, forcing them to reconnect, so you may want to make the change during a out of hours.
You may also wish to confirm that the current connected sessions support and are currently connecting using DTLS 1.2, using the command "show vpn-sessiondb detail anyconnect | include Encapsulation"
> show vpn-sessiondb detail anyconnect | include Encapsulation
Encapsulation: TLSv1.2 TCP Src Port : 35205
Encapsulation: DTLSv1.2 UDP Src Port : 26702
If you are changing the encryption, use "show vpn-sessiondb ratio encryption" to confirm what the current connections are using.
03-08-2022 01:26 AM
03-07-2022 08:52 AM
@MaErre21325 changing the TLS ciphers used on the FTD would impact the user connections. You change the FTD SSL/TLS setting using the Platform Settings. Guide here.
Any TLS settings on the FMC is for connections to the management Web GUI, therefore has no bearing on the anyconnect clients connecting to the FTD.
03-07-2022 09:09 AM
Hi Rob,
now it's clear, thank you very much!
03-07-2022 09:11 AM - edited 03-07-2022 09:17 AM
@MaErre21325 I forgot to mention, from memory I think making the changes ended the users session, forcing them to reconnect, so you may want to make the change during a out of hours.
You may also wish to confirm that the current connected sessions support and are currently connecting using DTLS 1.2, using the command "show vpn-sessiondb detail anyconnect | include Encapsulation"
> show vpn-sessiondb detail anyconnect | include Encapsulation
Encapsulation: TLSv1.2 TCP Src Port : 35205
Encapsulation: DTLSv1.2 UDP Src Port : 26702
If you are changing the encryption, use "show vpn-sessiondb ratio encryption" to confirm what the current connections are using.
03-08-2022 01:26 AM
yes, i'll do the change out of business hours
thanks for the tips
07-20-2022 09:15 AM - edited 07-20-2022 09:16 AM
Hi Rob,
How do I achieve this using FDM? FTD is on 6.4.0.15
Thanks always
07-20-2022 09:23 AM
@engineer467 to change the TLS ciphers in FDM for RAVPN, you'll need to upgrade to version 7.0.
07-20-2022 09:27 AM
Appreciate it, Rob.
06-12-2023 01:19 PM
I know this is an old post but was curious if there was a different area to disable support for TLSv1.0 and TLSv1.1 for the FMC GUI, I presume platform settings only applies to the FTD devices (443 and RAVPN)?
06-13-2023 06:02 AM
Yes, platform settings are applied to the managed FTD. For FMC, I believe you will have to upgrade the FMC to the latest version in order to get TLS 1.2 and weak ciphers 1.0 or 1.1 should be disabled in that version.
06-13-2023 07:54 AM
Thanks! That makes sense. I appreciate you responding.
06-14-2023 01:12 AM
The FMC GUI, even on the soon-to-be-released 7.4 does not disable weak ciphers.
See this thread and my reply dated 8 June for more details: https://community.cisco.com/t5/network-security/tls-version-1-1-protocol-deprecated/m-p/4851435#M1101375
06-14-2023 08:59 AM
Thanks Marvin! Always nice to hear from a legend!
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
|_http-server-header: Apache
NSE: Script Post-scanning.
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.14 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
06-14-2023 07:54 PM
Ah, they may have updated that with 7.0.5. I think the previous 7.0 version I checked still had weak ciphers in the offering.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide