Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
0
Helpful
2
Replies

AnyConnect 4.4 Breaks after updating SSL Ciphers

Go to solution
JEB-1181
Level 1
Level 1

‎05-14-2020 12:34 PM

I recently update the SSL config of my ASA that is configured for VPN. We are using SSL VPN with AnyConnect version 4.4. If I updated the ciphers with the below configuration, AnyConnect will no longer work:

 

ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"

 

The version on AnyConnect that I am using seems to prefer AES256-SHA256. My understanding is the AnyConnect 4.x should be able to handle the stronger ciphers just fine, but for whatever reason it isn't working for me. Below are some additional details:

 

AnyConnect 4.4.01054

ASA 9.12(3)12

AnyConnect Essentials Licenses

 

Current SSL config:

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"
ssl dh-group group24

 

Any help is greatly appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-14-2020 01:08 PM

Hi,
You should look to upgrade AnyConnect to version 4.7 or newer (currently 4.8). In AnyConnect 4.7 DTLS 1.2 was introduced which is more secure and provides better performance. When using a SSL/TLS VPN, as default your data will primarily be transmitted using DTLS. So you'd want to change the cipher (you are currently only using DTLS 1.), which would provide support for aes-gcm etc.

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎05-14-2020 01:08 PM

Hi,
You should look to upgrade AnyConnect to version 4.7 or newer (currently 4.8). In AnyConnect 4.7 DTLS 1.2 was introduced which is more secure and provides better performance. When using a SSL/TLS VPN, as default your data will primarily be transmitted using DTLS. So you'd want to change the cipher (you are currently only using DTLS 1.), which would provide support for aes-gcm etc.

HTH
0 Helpful

Go to solution
JEB-1181
Level 1
Level 1

‎05-15-2020 06:32 AM

Thank you, I do understand that I need to update the AnyConnect client and I do plan on doing so. But my goal is to improve our SSL security, and since I cant do that without breaking AnyConnect currently I am just trying to determine a fix for our current situation. My understanding is that AnyConnect 4.x should be able to handle the strong SSL ciphers and I am not sure why it wont use the DHE ciphers. More specifically I am trying to enable Forward Secrecy and AEAD cipher suites enabled to improve my SSL Labs score. It appears as long as I have the AES256-SHA256 cipher enabled, I wont be able to pass those two hurdles.

0 Helpful
Customers Also Viewed These Support Documents