cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
238
Views
0
Helpful
5
Replies
Highlighted

AnyConnect new feature - DTLSv1.2

With the release of v9.10.1, has anyone been able to get DTLSv1.2 working with AnyConnect sessions? (Our clients are v4.6.02074)


-If I don't specify dtlsv1.2, it will always establish the DTLS tunnel using dtlsv1.0.


-If I do specify dtlsv1.2 with the following config, the DTLS tunnel fails to establish with the message "%ASA-5-722043: Group <groupid> User <userid> IP <ipaddress> DTLS disabled: unable to negotiate cipher".   Removing the "ssl cipher dtlsv1" line makes no difference.

 

ssl server-version tlsv1.2 dtlsv1.2

ssl cipher default custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl cipher dtlsv1 custom "AES256-SHA"

ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl cipher dtlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl ecdh-group group20

ssl dh-group group24

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: AnyConnect new feature - DTLSv1.2

5 REPLIES
Hall of Fame Master

Re: AnyConnect new feature - DTLSv1.2

Re: AnyConnect new feature - DTLSv1.2

Thank you Marvin!  I've been struggling with this for awhile and of course today the client update is released...

 

Confirmation session output is shown below.

 

DTLS-Tunnel:
Tunnel ID : 10156.3
Assigned IP : y.y.y.y Public IP : x.x.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 53241
UDP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Conn Time Out: 1440 Minutes Conn TO Left : 1437 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136

Hall of Fame Master

Re: AnyConnect new feature - DTLSv1.2

I just upgraded my lab - FTD 6.3 (includes LINA / ASA release 9.10(1)3) and pushing AnyConnect 4.7.00136. Note the TLS 1.2 connection:

 

> show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username : user1 Index : 5
Assigned IP : 172.31.1.211 Public IP : 192.168.0.107
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 32022 Bytes Rx : 34713
Pkts Tx : 129 Pkts Rx : 278
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : CCIELab_GP Tunnel Group : CCIELab_VPN
Login Time : 03:52:57 UTC Thu Dec 6 2018
Duration : 0h:02m:21s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac1f0101000050005c089d19
Security Grp : none Tunnel Zone : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 5.1
Public IP : 192.168.0.107
Encryption : none Hashing : none 
TCP Src Port : 23728 TCP Dst Port : 443 
Auth Mode : userPassword 
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes 
Client OS : win 
Client OS Ver: 10.0.17134 
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136
Bytes Tx : 8454 Bytes Rx : 0 
Pkts Tx : 6 Pkts Rx : 0 
Pkts Tx Drop : 0 Pkts Rx Drop : 0 

SSL-Tunnel:
Tunnel ID : 5.2
Assigned IP : 172.31.1.211 Public IP : 192.168.0.107
Encryption : AES-GCM-256 Hashing : SHA384 
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 
Encapsulation: TLSv1.2 TCP Src Port : 23732 
TCP Dst Port : 443 Auth Mode : userPassword 
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes 
Client OS : Windows 
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136
Bytes Tx : 8454 Bytes Rx : 496 
Pkts Tx : 6 Pkts Rx : 5 
Pkts Tx Drop : 0 Pkts Rx Drop : 0 

DTLS-Tunnel:
Tunnel ID : 5.3
Assigned IP : 172.31.1.211 Public IP : 192.168.0.107
Encryption : AES256 Hashing : SHA1 
Ciphersuite : DHE-RSA-AES256-SHA 
Encapsulation: DTLSv1.0 UDP Src Port : 51520 
UDP Dst Port : 443 Auth Mode : userPassword 
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes 
Client OS : Windows 
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136
Bytes Tx : 15114 Bytes Rx : 34217 
Pkts Tx : 117 Pkts Rx : 273 
Pkts Tx Drop : 0 Pkts Rx Drop : 0 

> show running-config ssl
ssl server-version tlsv1.2
ssl cipher tlsv1.2 high
ssl dh-group group1
ssl trust-point VPN_Cert_Enrollment
ssl trust-point VPN_Cert_Enrollment Outside-Home
>
> show version
---------[ vftd-new.ccielab.mrneteng.com ]----------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.3.0 (Build 83)
UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7
Rules update version : 2018-12-03-001-vrt
VDB version : 307
----------------------------------------------------

> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

vftd-new> show ver
vftd-new> show version
---------[ vftd-new.ccielab.mrneteng.com ]----------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.3.0 (Build 83)
UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7
Rules update version : 2018-12-03-001-vrt
VDB version : 307
----------------------------------------------------

Cisco Adaptive Security Appliance Software Version 9.10(1)3
Firepower Extensible Operating System Version 2.4(1.216)

Compiled on Tue 27-Nov-18 12:00 PST by builders
System image file is "boot:/asa9101-3-smp-k8.bin"
Config file at boot was "startup-config"

vftd-new up 1 hour 0 mins

Hardware: ASAv, 8192 MB RAM, CPU Pentium II 2100 MHz, 1 CPU (4 cores)
Model Id: ASAv30
Internal ATA Compact Flash, 50176MB
Slot 1: ATA Compact Flash, 50176MB
BIOS Flash Firmware Hub @ 0x0, 0KB


0: Int: Internal-Data0/0 : address is 000c.2924.8e3e, irq 10
1: Ext: GigabitEthernet0/0 : address is 000c.2924.8e48, irq 5
2: Ext: GigabitEthernet0/1 : address is 000c.2924.8e52, irq 9
3: Ext: GigabitEthernet0/2 : address is 000c.2924.8e5c, irq 11
4: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
5: Int: Internal-Data0/0 : address is 0000.0000.0000, irq 0
6: Ext: Management0/0 : address is 000c.2924.8e3e, irq 0
7: Int: Internal-Data0/1 : address is 0000.0000.0000, irq 0
8: Int: Internal-Data0/2 : address is 0000.0000.0000, irq 0

Serial Number: 9ADK32SQAT2

Image type : Release
Key version : A

Configuration last modified by enable_1 at 03:41:24.871 UTC Thu Dec 6 2018
vftd-new>

 

Beginner

Re: AnyConnect new feature - DTLSv1.2

Marvin, the config print out from your lab lists the the DTLS tunnel as using TLS 1.1  and SHA1. Was this an oversite in the thread?

Solved: Re: AnyConnect new feature - DTLSv1.2 - Cisco Community

DTLS-Tunnel:
Tunnel ID : 5.3
Assigned IP : 172.31.1.211 Public IP : 192.168.0.107
Encryption : AES256 Hashing : SHA1 
Ciphersuite : DHE-RSA-AES256-SHA 
Encapsulation: DTLSv1.0 UDP Src Port : 51520 
UDP Dst Port : 443 Auth Mode : userPassword 
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes 
Client OS : Windows 
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136
Bytes Tx : 15114 Bytes Rx : 34217 
Pkts Tx : 117 Pkts Rx : 273 
Pkts Tx Drop : 0 Pkts Rx Drop : 0 

Hall of Fame Master

Re: AnyConnect new feature - DTLSv1.2

I noticed that. TLS is 1.2, DTLS is not.

 

I'm wondering if it's FTD vs. ASA thing. I need to upgrade my ASAv to 9.10(1) and compare.

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers