Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5331
Views
0
Helpful
5
Replies

Anyconnect 4.x client cannot connect

Go to solution
hm_alexander1
Level 1
Level 1

‎11-22-2015 01:46 PM - edited ‎02-21-2020 08:34 PM

We used AnyConnect 2.5 and everthing was working fine. We want/must upgrade to AnyConnect 4.x now and first purchased a  AnyConnect Apex license and that is installed.

But still every AnyConnect attempt to connect either ends in "cannot contact server" on Windows or "No valid certificates available for authentication." on Mac.

set up on ASA 9.5

I am puzzled 

1) we don't use client certificates for authentiation only AAA.

2) this is a  bare minium standard AnyConnect config. Nothing fancy.

just being desparate I installed the anyconnect app for ipad. no luck there either. But because I was playing around I turned on FIPS on that - and lo and behold I could connect. 

But here is the thing: I never configured FIPS (disabling the non-FIPS cipher for example) on the ASA. Nor do I want or need it. 

I spent many hours on troubleshooting this and I am at a loss now.

Any pointers are greatly appreciated.

----

UPDATE:

I found the solution!

This is a bug! after some searching I found that the same description that applies to this particular bug is also affecting anyconnect 

https://tools.cisco.com/bugsearch/bug/CSCuv51649/?referring_site=bugquickviewclick

taking as the workaround states RC4-SHA out of the ciphers, made it work.

That also explains why the ipad APP worked with FIPS: FIPS doesnt' use RC4-SHA.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hm_alexander1

‎11-23-2015 10:20 AM

I suspect you are hitting the issue documented in the ASA 9.4 release notes:

  • Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

When your client was AnyConnect 2.5, it was not elliptic-curve-capable and you wouldn't see the issue. If you add the command noted above, it should fix the issue.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-22-2015 07:24 PM

If you browse to your portal (vs. going via the client directly), do you get any certificate issues?

Did you also change the ASA software version?

0 Helpful

Go to solution
hm_alexander1
Level 1
Level 1
In response to Marvin Rhoads

‎11-23-2015 05:32 AM

No there are no certificate issues on the portal page. (you can try yourself https://vpnhou.littlebrothers.org)

I assume you are talking about the ASA core software:

we are on ASA 9.5(1)

ADSM 7.5(1)112

anything else that you can think off?

0 Helpful

Go to solution
hm_alexander1
Level 1
Level 1
In response to hm_alexander1

‎11-23-2015 08:58 AM

tried to enable FIPS mode on the mac client - just to see if that would work - nope that was not it.

but enabled debugging on the ASA and here is the error message:

%ASA-7-725014: SSL lib error. Function: SSL3_ACCEPT Reason: setup crypto context failed
%ASA-6-725006: Device failed SSL handshake with client outside:97.83.153.94/39958 to 24.213.39.214/443

0 Helpful

Go to solution
hm_alexander1
Level 1
Level 1
In response to hm_alexander1

‎11-23-2015 10:15 AM

I found the solution!

This is a bug! after some searching I found that the same description that applies to this particular bug is also affecting anyconnect 

https://tools.cisco.com/bugsearch/bug/CSCuv51649/?referring_site=bugquickviewclick

taking as the workaround states RC4-SHA out of the ciphers, made it work.

That also explains why the ipad APP worked with FIPS: FIPS doesnt' use RC4-SHA.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hm_alexander1

‎11-23-2015 10:20 AM

I suspect you are hitting the issue documented in the ASA 9.4 release notes:

  • Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

When your client was AnyConnect 2.5, it was not elliptic-curve-capable and you wouldn't see the issue. If you add the command noted above, it should fix the issue.

0 Helpful
Customers Also Viewed These Support Documents