cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
12337
Views
15
Helpful
9
Replies
Quintin.Mayo
Beginner

Anyconnect Error - Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect

Hi,

 

We upgraded our AnyConnect image to (anyconnect-win-4.9.01095-webdeploy-k9.pkg) version now we are receiving the Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect error.  Can anyone assist with this error? It would be greatly appreciated.  I posted the policy and tunnel groups info for review.

 

WFC-COT-ASA-1# sh run group-policy
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_WFC_Anyconnect internal
group-policy GroupPolicy_WFC_Anyconnect attributes
wins-server none
dns-server value x.x.x.x  x.x.x.x
vpn-tunnel-protocol ikev2 ssl-client
default-domain value wwad.wilwoodclinic.com
client-bypass-protocol enable
webvpn
anyconnect profiles value WFC_Anyconnect_client_profile type user

 

WFC-COT-ASA-1# sh run tunnel-group
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group WFC_Anyconnect type remote-access
tunnel-group WFC_Anyconnect general-attributes
authentication-server-group LDAP LOCAL
default-group-policy GroupPolicy_WFC_Anyconnect
dhcp-server link-selection x.x.x.x
tunnel-group WFC_Anyconnect webvpn-attributes
group-alias WFC_Anyconnect enable

--------------------------------------------------------------------------------------------------------

WFC-MAD-ASA-1# sh run group-policy
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_WFC_Anyconnect internal
group-policy GroupPolicy_WFC_Anyconnect attributes
wins-server none
dns-server value x.x.x.x  x.x.x.x
vpn-tunnel-protocol ikev2 ssl-client
default-domain value wwad.wildwoodclinic.com
client-bypass-protocol enable
webvpn
anyconnect profiles value WFC_Anyconnect_client_profile type user


WFC-MAD-ASA-1# sh run tunnel-group
tunnel-group WFC_Anyconnect type remote-access
tunnel-group WFC_Anyconnect general-attributes
authentication-server-group LDAP LOCAL
default-group-policy GroupPolicy_WFC_Anyconnect
dhcp-server link-selection x.x.x.x
tunnel-group WFC_Anyconnect webvpn-attributes
group-alias WFC_Anyconnect enable
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

 

9 REPLIES 9
Rob Ingram
VIP Mentor

Hi,

Unfortunately that does not tell us what algorithms you are using.

Are you using IPSec or SSL?

 

In AnyConnect 4.9 the follow changes were made:-

 

 

  • For SSL VPN, AnyConnect no longer supports the following cipher suites from both TLS and DTLS: DHE-RSA-AES256-SHA and DES-CBC3-SHA

  • For IKEv2/IPsec, AnyConnect no longer supports the following algorithms:

    • Encryption algorithms: DES and 3DES

    • Pseudo Random Function (PRF) algorithm: MD5

    • Integrity algorithm: MD5

    • Diffie-Hellman (DH) groups: 2, 5, 14, 24

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html

 

If you are using any of the above algorithms I suggest you modify your configuration accordingly.

 

If you need further assistance, provide the output of "show run crypto" and "show run ssl"

 

HTH

Hi,

 

Thanks for the information. I have attached the output for the Crypto and SSL commands.  Please advise, your assistance is greatly appreciated again.

 

Thanks,

Are you using IPSec or SSL for Remote Access VPN?

 

You are using TLS1.2 so that using the more secure algorithms, you should consider modify your SSL dh-group to use group 14, instead of group 5.

WFC-COT-ASA-1# sh run ssl
ssl dh-group group5

Your IKEv1/IKEv2 Policies are also using depreciated algorithms. You'd probably want to amend  your IKE Policies, remove DES, 3DES, DH group 2, 5 etc and use AES, DH Group 19, 20 or 21. Be careful if these IKE policies are used for S2S VPN's aswell as RAVPN.

 

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto iev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400

Alternatively you could create a new more secure IKEv2 Policy (see below), however you will need to delete the existing IKEv2 Policy #1 and re-add using a number greater than the new policy, e.g 6. This ensures that the RAVPN users can connect using the new policy and existing S2s VPN can also still connect using the older policies.

 

crypto ikev2 policy 5
encryption aes-gcm
integrity null
group 19
prf sha256

You may need/want to upgrade your ASA version depending on what you are currently running. In 9.13 those algorithms have been depreciated. https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html

thanks.. that was the solution: 

 

crypto ikev2 policy 5
encryption aes-gcm
integrity null
group 19
prf sha256

Anyconnect on iPhone works again..  

We are running on a Mac with OS 10.15.7.  We don't have the commands 'show run crypto' or 'show run ssl' available in the terminal.  We also don't have control of the algorithms, since they come with the OS.  How can we get something that will run with 4.9?

@IntellexRSK those commands are to be used on the ASA headend - not on the client AnyConnect or terminal.

FYI Mac OS 10.15.7 (Catalina) or 11.x (Big Sur) clients should use the latest AnyConnect version - currently 4.9.06037 - for best compatibility, especially with Big Sur.

We're using 4.9.0403, which is the latest version the school has on their installer, but it's giving us this crypto error when we try to log in.  I can't figure out what ssl it wants or how I can upgrade to it.

As noted, the crypto settings that cause this error are on the ASA - not anywhere on the client. The administrator of the ASA needs to fix the issue. There is nothing you can do from the client side to remedy the problem.

So Why does this only happen on some clients  I have 40 clients and only 3 are having this issue?  All are windows 10, is there version of windows 10 that does not have the requried algorithms?  

 

Thanks

 

Scott

Content for Community-Ad