cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25099
Views
15
Helpful
12
Replies

Anyconnect Error - Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect

Quintin.Mayo
Explorer
Explorer

Hi,

 

We upgraded our AnyConnect image to (anyconnect-win-4.9.01095-webdeploy-k9.pkg) version now we are receiving the Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect error.  Can anyone assist with this error? It would be greatly appreciated.  I posted the policy and tunnel groups info for review.

 

WFC-COT-ASA-1# sh run group-policy
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_WFC_Anyconnect internal
group-policy GroupPolicy_WFC_Anyconnect attributes
wins-server none
dns-server value x.x.x.x  x.x.x.x
vpn-tunnel-protocol ikev2 ssl-client
default-domain value wwad.wilwoodclinic.com
client-bypass-protocol enable
webvpn
anyconnect profiles value WFC_Anyconnect_client_profile type user

 

WFC-COT-ASA-1# sh run tunnel-group
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group WFC_Anyconnect type remote-access
tunnel-group WFC_Anyconnect general-attributes
authentication-server-group LDAP LOCAL
default-group-policy GroupPolicy_WFC_Anyconnect
dhcp-server link-selection x.x.x.x
tunnel-group WFC_Anyconnect webvpn-attributes
group-alias WFC_Anyconnect enable

--------------------------------------------------------------------------------------------------------

WFC-MAD-ASA-1# sh run group-policy
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_WFC_Anyconnect internal
group-policy GroupPolicy_WFC_Anyconnect attributes
wins-server none
dns-server value x.x.x.x  x.x.x.x
vpn-tunnel-protocol ikev2 ssl-client
default-domain value wwad.wildwoodclinic.com
client-bypass-protocol enable
webvpn
anyconnect profiles value WFC_Anyconnect_client_profile type user


WFC-MAD-ASA-1# sh run tunnel-group
tunnel-group WFC_Anyconnect type remote-access
tunnel-group WFC_Anyconnect general-attributes
authentication-server-group LDAP LOCAL
default-group-policy GroupPolicy_WFC_Anyconnect
dhcp-server link-selection x.x.x.x
tunnel-group WFC_Anyconnect webvpn-attributes
group-alias WFC_Anyconnect enable
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

 

12 Replies 12

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Hi,

Unfortunately that does not tell us what algorithms you are using.

Are you using IPSec or SSL?

 

In AnyConnect 4.9 the follow changes were made:-

 

 

  • For SSL VPN, AnyConnect no longer supports the following cipher suites from both TLS and DTLS: DHE-RSA-AES256-SHA and DES-CBC3-SHA

  • For IKEv2/IPsec, AnyConnect no longer supports the following algorithms:

    • Encryption algorithms: DES and 3DES

    • Pseudo Random Function (PRF) algorithm: MD5

    • Integrity algorithm: MD5

    • Diffie-Hellman (DH) groups: 2, 5, 14, 24

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html

 

If you are using any of the above algorithms I suggest you modify your configuration accordingly.

 

If you need further assistance, provide the output of "show run crypto" and "show run ssl"

 

HTH

Hi,

 

Thanks for the information. I have attached the output for the Crypto and SSL commands.  Please advise, your assistance is greatly appreciated again.

 

Thanks,

Are you using IPSec or SSL for Remote Access VPN?

 

You are using TLS1.2 so that using the more secure algorithms, you should consider modify your SSL dh-group to use group 14, instead of group 5.

WFC-COT-ASA-1# sh run ssl
ssl dh-group group5

Your IKEv1/IKEv2 Policies are also using depreciated algorithms. You'd probably want to amend  your IKE Policies, remove DES, 3DES, DH group 2, 5 etc and use AES, DH Group 19, 20 or 21. Be careful if these IKE policies are used for S2S VPN's aswell as RAVPN.

 

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto iev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400

Alternatively you could create a new more secure IKEv2 Policy (see below), however you will need to delete the existing IKEv2 Policy #1 and re-add using a number greater than the new policy, e.g 6. This ensures that the RAVPN users can connect using the new policy and existing S2s VPN can also still connect using the older policies.

 

crypto ikev2 policy 5
encryption aes-gcm
integrity null
group 19
prf sha256

You may need/want to upgrade your ASA version depending on what you are currently running. In 9.13 those algorithms have been depreciated. https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html

thanks.. that was the solution: 

 

crypto ikev2 policy 5
encryption aes-gcm
integrity null
group 19
prf sha256

Anyconnect on iPhone works again..  

Hi, on cisco anyconnect 4.10, we had the same error. We correct the dh group, but we have the next problem: the gw vpn is added with profile editor on server list, with a display name, fqdn and group. But when it try to connect the error appear again. If I put manually the fqdn on the client, then connect.. do you know why?

We are running on a Mac with OS 10.15.7.  We don't have the commands 'show run crypto' or 'show run ssl' available in the terminal.  We also don't have control of the algorithms, since they come with the OS.  How can we get something that will run with 4.9?

@IntellexRSK those commands are to be used on the ASA headend - not on the client AnyConnect or terminal.

FYI Mac OS 10.15.7 (Catalina) or 11.x (Big Sur) clients should use the latest AnyConnect version - currently 4.9.06037 - for best compatibility, especially with Big Sur.

We're using 4.9.0403, which is the latest version the school has on their installer, but it's giving us this crypto error when we try to log in.  I can't figure out what ssl it wants or how I can upgrade to it.

As noted, the crypto settings that cause this error are on the ASA - not anywhere on the client. The administrator of the ASA needs to fix the issue. There is nothing you can do from the client side to remedy the problem.

So Why does this only happen on some clients  I have 40 clients and only 3 are having this issue?  All are windows 10, is there version of windows 10 that does not have the requried algorithms?  

 

Thanks

 

Scott

I had this same issue.  What I found was that it was an issue on the client with the AnyConnect profile file. 

After upgrading the client, AnyConnect would come up with the connection as something like "MARS-5506X (Ipsec) IPV4" (at which time it did not prompt to accept the SSL cert), which was a stored profile.

 

I went back and entered just the IP address for the connection, it prompted me for the SSL cert, I accepted and the error went away.

 

So, looks like it is something that is being stored in the local XML profile file (c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile)

 

Hope that helps.

John

I am using a MacBook Pro with macOS Monterrey Version 12.6

I was only receiving the error from this client and could always connect from other devices, Win10, iPhone and iPad.

MARENGO78_0-1665683367719.png

The solution was to remove this line from the profile

<PrimaryProtocol>IPsec</PrimaryProtocol>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers