Solved: SSL Ciphers different between 5525x and 5555x ?

Tim Glen · ‎03-23-2016

Good Afternoon,

I have an ASA 5525x and an ASA 5555x. Both of them run 9.4(2.6).

The 5525x supports all the new ciphers that are discussed in the release notes.

lab-asa5525x# sh ssl ciphers
Current cipher configuration:
default (fips):
 ECDHE-ECDSA-AES256-GCM-SHA384
 ECDHE-RSA-AES256-GCM-SHA384
 DHE-RSA-AES256-GCM-SHA384
 AES256-GCM-SHA384
 ECDHE-ECDSA-AES256-SHA384
 ECDHE-RSA-AES256-SHA384
 DHE-RSA-AES256-SHA256
 AES256-SHA256
 ECDHE-ECDSA-AES128-GCM-SHA256
 ECDHE-RSA-AES128-GCM-SHA256
 DHE-RSA-AES128-GCM-SHA256
 AES128-GCM-SHA256
 ECDHE-ECDSA-AES128-SHA256
 ECDHE-RSA-AES128-SHA256
 DHE-RSA-AES128-SHA256
 AES128-SHA256
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
tlsv1 (fips):
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
tlsv1.1 (fips):
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
tlsv1.2 (custom): ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256
 ECDHE-ECDSA-AES256-GCM-SHA384
 ECDHE-ECDSA-AES256-SHA384
 ECDHE-ECDSA-AES128-GCM-SHA256
 ECDHE-ECDSA-AES128-SHA256
dtlsv1 (fips):
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
lab-asa5525x# 
lab-asa5525x# sh runn all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256"
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point 2016-03.lab-asa Outside
ssl certificate-authentication fca-timeout 2
lab-asa5525x#

The 5555x does not support any of the elliptical curve ciphers that are discussed in the release notes.

ASA5555x-01# sh ssl ciphers
Current cipher configuration:
default (medium):
 DHE-RSA-AES256-SHA256
 AES256-SHA256
 DHE-RSA-AES128-SHA256
 AES128-SHA256
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
 DES-CBC3-SHA
tlsv1 (medium):
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
 DES-CBC3-SHA
tlsv1.1 (medium):
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
 DES-CBC3-SHA
tlsv1.2 (medium):
 DHE-RSA-AES256-SHA256
 AES256-SHA256
 DHE-RSA-AES128-SHA256
 AES128-SHA256
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
 DES-CBC3-SHA
dtlsv1 (medium):
 DHE-RSA-AES256-SHA
 AES256-SHA
 DHE-RSA-AES128-SHA
 AES128-SHA
 DES-CBC3-SHA
ASA5555x-01# 
ASA5555x-01# sh runn all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point 2016-03.ssl-vpn Outside_85
ssl certificate-authentication fca-timeout 2
ASA5555x-01#

I opened a TAC case and the TAC engineer's 5585 also running 9.4(2.6) does not support the EC ciphers?

Can anyone help me figure out what I am missing ? All -x ASA platforms should support the same features, right?

Thank you

Tim

Diego Lopez · ‎03-23-2016

Hello,

Disabling the Anyconnect essentials from the global webvpn setting did the trick here.

CLI:

webvpn

no anyconnect-essentials

Thanks,

View solution in original post

Philip D'Ath · ‎03-23-2016

I would have expected them to support the same ciphers, but the 5585's are a bit different from the rest of the line up.

Just check out the model comparison, and you can see what I mean.

http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/models-comparison.html

Diego Lopez · ‎03-23-2016