Solved: CISCO Anyconnect and using TLS V1.2

CDA_Administrator · ‎02-23-2015

Hi,

I was running an anyconnect VPN Service that used SSLv3, after POODLE, we moved onto TLSv1, which worked fine, but I've recently been advised that TLSv1 is also vulnerable to POODLE.

I upgraded to the latest version of the firewall software (It's an ASA 5512) and enabled TLSv1.2 - that stopped the VPN from working, once it was enabled the anyconnect clients started reporting that they were behind a captive portal, despite the fact that there definitely is no captive portal. I get the same problem with TLSv1.1 - How should I get this working - I'm really stuck, and not a CISCO expert.

Many thanks,

Kanwaljeet Singh · ‎02-23-2015

Hi James,

What is the version of ASA and anyconnect here? Only anyconnect 4.x support TLS 1.2 and ASA 9.3(2).

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/release/notes/b_Release_Notes_AnyConnect_4_0.html#reference_467195CDD71947948872259D1DB91158

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

Kanwaljeet Singh · ‎02-23-2015

Hi James,

What is the version of ASA and anyconnect here? Only anyconnect 4.x support TLS 1.2 and ASA 9.3(2).

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/release/notes/b_Release_Notes_AnyConnect_4_0.html#reference_467195CDD71947948872259D1DB91158

Regards,

Kanwal

Note: Please mark answers if they are helpful.

ryanmims1 · ‎01-26-2019

What was the solution? We are running ASA 5585, 9.9.2.1 TLS 1.2 and diffie group 24 and clients get Login failed. Clients can connect if lower tls version

ryanmims1 · ‎01-26-2019

Also, client is 4.6

ryanmims1 · ‎01-26-2019

Using LDAP authentication via windows. Is the ASA using the TLS1.2 to auth against ldap?