Showing results for 
Search instead for 
Did you mean: 

AnyConnect 3.1 FIPS mode - verify from ASA cmdline

Level 1
Level 1

Hi all-

I'm deploying FIPS mode on AnyConnect 3.1 clients

(ASA version 8.3 and 8.2, and AC 3.1, AnyConnect Essentials, and FIPS licenses on the ASAs)

How can I determine from the ASDM or better yet, the command line

whether a client is running in FIPs mode?

I'm getting ready to deploy the AnyConnectLocalPolicy.xml file via KACE,

and so far, when my test laptops reboot, the next AnyConnect VPN session is then running with FIPS Mode: Enabled

I can verify that from the client by looking at the AnyConnect VPN Statistics dialog.

But I can't reach that dialog on laptops in the field, that I know of (short of VNC or something intrusive like that)

So I'd like to have a 'show vpn-sessiondb svc' type command that will show me

which clients are successfully in FIPS mode, and which ones are not in FIPs.

Thanks in advance...

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

I don't know of any ASA show command to check it but if  you have KACE, can that pull the relevant registry key value from the clients?

As described here, a value of 1 would be expected for HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy on Wndows Vista or later.

That's one thing I'd thought of, and will do.

I was hoping to find something in the ASA, since that would not only prove that FIPS was enabled, but that it was also working correctly.