Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
0
Helpful
2
Replies

AnyConnect 3.1 FIPS mode - verify from ASA cmdline

treimers1
Level 1
Level 1

‎08-29-2013 02:08 PM - edited ‎02-21-2020 07:07 PM

Hi all-

I'm deploying FIPS mode on AnyConnect 3.1 clients

(ASA version 8.3 and 8.2, and AC 3.1, AnyConnect Essentials, and FIPS licenses on the ASAs)

How can I determine from the ASDM or better yet, the command line

whether a client is running in FIPs mode?

I'm getting ready to deploy the AnyConnectLocalPolicy.xml file via KACE,

and so far, when my test laptops reboot, the next AnyConnect VPN session is then running with FIPS Mode: Enabled

I can verify that from the client by looking at the AnyConnect VPN Statistics dialog.

But I can't reach that dialog on laptops in the field, that I know of (short of VNC or something intrusive like that)

So I'd like to have a 'show vpn-sessiondb svc' type command that will show me

which clients are successfully in FIPS mode, and which ones are not in FIPs.

Thanks in advance...

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-29-2013 09:51 PM

I don't know of any ASA show command to check it but if  you have KACE, can that pull the relevant registry key value from the clients?

As described here, a value of 1 would be expected for HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy on Wndows Vista or later.

0 Helpful

treimers1
Level 1
Level 1
In response to Marvin Rhoads

‎08-30-2013 06:13 AM

That's one thing I'd thought of, and will do.

I was hoping to find something in the ASA, since that would not only prove that FIPS was enabled, but that it was also working correctly.

0 Helpful
Customers Also Viewed These Support Documents