AnyConnect fails to connect when using ECDH Group21 521-bit EC

ChuckHaynes · ‎12-10-2019

ECDH group to be used with SSL - Group21 - 521-bit EC (doesn't work with AnyConnect)

Anyone else experiencing this. ASA 5516-X, AnyConnect 4.8

Thanks

Sheraz.Salim · ‎12-10-2019

I just check anyconnect version 8 with your setting its work for me. Only difference is mine box is 5506-X code is Version 9.9(2)47.

no threat-detection statistics tcp-intercept
ssl ecdh-group group21
ssl trust-point Peston_Trust outside
ssl trust-point Peston_Trust LAB
ssl trust-point Peston_Trust SERVER_BOX
ssl trust-point Peston_Trust DOT1X_less
ssl trust-point Peston_Trust wireless-house
ssl trust-point Peston_Trust BIG-SERVER
ssl trust-point Peston_Trust dot1x_wireless
webvpn
port 8443
enable outside

!

show webvpn anyconnect
1. disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 dyn-regex=/Windows NT/
CISCO STC win2k+
4,8,01090
Hostscan Version 4.8.01090
Mon 10/21/2019 9:53:27.36

please do not forget to rate.

ChuckHaynes · ‎12-10-2019

ASA 5516-X 9.13(1)2

ASA# sh ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS) (DEPRECATED)
SSL ECDH Group: group20 (384-bit EC)

SSL trust-points:
Self-signed (RSA 2048 bits RSA-SHA256) certificate available
Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Interface outside: MEC-SSL-Trustpoint (EC 384 bits ecdsa-with-SHA256)
Certificate authentication is not enabled

When I set it to Group21, AnyConnect will no longer connect. It says "Could not connect to server. Please verify Internet connectivity and server address."

Thanks

JOHN PAUL MORRISON · ‎02-28-2020

Windows 10 1909 bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs64221

ChuckHaynes · ‎06-16-2020

The problem was that our SSL certificate wasn't 521-bit. It looks like most CAs don't support it yet?