05-14-2020 12:34 PM
I recently update the SSL config of my ASA that is configured for VPN. We are using SSL VPN with AnyConnect version 4.4. If I updated the ciphers with the below configuration, AnyConnect will no longer work:
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"
The version on AnyConnect that I am using seems to prefer AES256-SHA256. My understanding is the AnyConnect 4.x should be able to handle the stronger ciphers just fine, but for whatever reason it isn't working for me. Below are some additional details:
AnyConnect 4.4.01054
ASA 9.12(3)12
AnyConnect Essentials Licenses
Current SSL config:
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"
ssl dh-group group24
Any help is greatly appreciated!
Solved! Go to Solution.
05-14-2020 01:08 PM
05-14-2020 01:08 PM
05-15-2020 06:32 AM
Thank you, I do understand that I need to update the AnyConnect client and I do plan on doing so. But my goal is to improve our SSL security, and since I cant do that without breaking AnyConnect currently I am just trying to determine a fix for our current situation. My understanding is that AnyConnect 4.x should be able to handle the strong SSL ciphers and I am not sure why it wont use the DHE ciphers. More specifically I am trying to enable Forward Secrecy and AEAD cipher suites enabled to improve my SSL Labs score. It appears as long as I have the AES256-SHA256 cipher enabled, I wont be able to pass those two hurdles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide