cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5529
Views
0
Helpful
5
Replies

Anyconnect 4.x client cannot connect

hm_alexander1
Level 1
Level 1

We used AnyConnect 2.5 and everthing was working fine. We want/must upgrade to AnyConnect 4.x now and first purchased a  AnyConnect Apex license and that is installed.

But still every AnyConnect attempt to connect either ends in "cannot contact server" on Windows or "No valid certificates available for authentication." on Mac.

set up on ASA 9.5

I am puzzled 

1) we don't use client certificates for authentiation only AAA.

2) this is a  bare minium standard AnyConnect config. Nothing fancy.

just being desparate I installed the anyconnect app for ipad. no luck there either. But because I was playing around I turned on FIPS on that - and lo and behold I could connect. 

But here is the thing: I never configured FIPS (disabling the non-FIPS cipher for example) on the ASA. Nor do I want or need it. 

I spent many hours on troubleshooting this and I am at a loss now.

Any pointers are greatly appreciated.

----

UPDATE:

I found the solution!

This is a bug! after some searching I found that the same description that applies to this particular bug is also affecting anyconnect 

https://tools.cisco.com/bugsearch/bug/CSCuv51649/?referring_site=bugquickviewclick

taking as the workaround states RC4-SHA out of the ciphers, made it work.

That also explains why the ipad APP worked with FIPS: FIPS doesnt' use RC4-SHA.

1 Accepted Solution

Accepted Solutions

I suspect you are hitting the issue documented in the ASA 9.4 release notes:

  • Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

When your client was AnyConnect 2.5, it was not elliptic-curve-capable and you wouldn't see the issue. If you add the command noted above, it should fix the issue.

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

If you browse to your portal (vs. going via the client directly), do you get any certificate issues?

Did you also change the ASA software version?

No there are no certificate issues on the portal page. (you can try yourself https://vpnhou.littlebrothers.org)

I assume you are talking about the ASA core software:

we are on ASA 9.5(1)

ADSM 7.5(1)112

anything else that you can think off?

tried to enable FIPS mode on the mac client - just to see if that would work - nope that was not it.

but enabled debugging on the ASA and here is the error message:

%ASA-7-725014: SSL lib error. Function: SSL3_ACCEPT Reason: setup crypto context failed
%ASA-6-725006: Device failed SSL handshake with client outside:97.83.153.94/39958 to 24.213.39.214/443

I found the solution!

This is a bug! after some searching I found that the same description that applies to this particular bug is also affecting anyconnect 

https://tools.cisco.com/bugsearch/bug/CSCuv51649/?referring_site=bugquickviewclick

taking as the workaround states RC4-SHA out of the ciphers, made it work.

That also explains why the ipad APP worked with FIPS: FIPS doesnt' use RC4-SHA.

I suspect you are hitting the issue documented in the ASA 9.4 release notes:

  • Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

When your client was AnyConnect 2.5, it was not elliptic-curve-capable and you wouldn't see the issue. If you add the command noted above, it should fix the issue.