Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4095
Views
5
Helpful
6
Replies

TLS v1.1 vs AnyConnect client v3.x

Go to solution
lcaruso
Level 6
Level 6

‎11-17-2015 08:54 AM - edited ‎03-11-2019 11:54 PM

Hi,

I'm attempting to get an ASA to PCI compliance so TLS v1.0 cannot be used.

When I disable TLS v1.0 and enable TLS v1.1, AnyConnect v3.x clients cannot connect

AnyConnect v4.x clients (which require a preimum license) can connect. 

Is there a solution without having to upgrade to an AnyConnect Premium license?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-17-2015 10:17 AM

It's not a premium license that you need. For AnyConnect 4 you "only" need the AnyConnect Plus license which is not as expensive as the older premium licenses were. More details in the AC ordering guide.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎11-17-2015 10:17 AM

It's not a premium license that you need. For AnyConnect 4 you "only" need the AnyConnect Plus license which is not as expensive as the older premium licenses were. More details in the AC ordering guide.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Karsten Iwen

‎11-17-2015 09:11 PM

Thanks for the link.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6

‎11-17-2015 09:10 PM

Hi Larry,

 

TLS v1.1 is not supported by the Anyconnect client v3.x . For you will have role back to TLS v1.0.

 

 

Regards,

Gurjot Singh

Cisco TAC

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to lcaruso

‎03-17-2018 09:19 AM

That is wrong. See Wireshark capture of Client Hello from AnyConnect 3.1.

 

TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 99
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 95
Version: TLS 1.1 (0x0302)
Random: 5aad3dc8639ca8ea4944bc71e363602801a4106d5621fe67...
Session ID Length: 0
Cipher Suites Length: 14
Cipher Suites (7 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 40
Extension: status_request (len=5)
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Extension: SessionTicket TLS (len=0)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)

0 Helpful

Go to solution
Merlin-Cisco
Level 1
Level 1
In response to paolo bevilacqua

‎05-01-2018 08:55 AM

Hi Paolo,

 

What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.

 

I notice now that all anyconnect 3.1 release notes, software downloads are now gone from cisco.com

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to Merlin-Cisco

‎05-01-2018 09:08 AM

What release version of 3.1 are you running for that trace, as I get similar results to the others above, in that it stops working when client set to TLS1.1 so I wondered if a certain versions of 3.1 worked whilst others didn't.

 

No. AnyConnect, any version, do adapt to the Windows version running. Newest OS versions prevent obsolete TLS versions to be negotiated.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card