12-05-2018 02:02 PM - edited 02-21-2020 09:31 PM
With the release of v9.10.1, has anyone been able to get DTLSv1.2 working with AnyConnect sessions? (Our clients are v4.6.02074)
-If I don't specify dtlsv1.2, it will always establish the DTLS tunnel using dtlsv1.0.
-If I do specify dtlsv1.2 with the following config, the DTLS tunnel fails to establish with the message "%ASA-5-722043: Group <groupid> User <userid> IP <ipaddress> DTLS disabled: unable to negotiate cipher". Removing the "ssl cipher dtlsv1" line makes no difference.
ssl server-version tlsv1.2 dtlsv1.2
ssl cipher default custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"
ssl cipher dtlsv1 custom "AES256-SHA"
ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"
ssl cipher dtlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"
ssl ecdh-group group20
ssl dh-group group24
Solved! Go to Solution.
12-05-2018 06:09 PM
AnyConnect must also be upgraded to Release 4.7 for DTLS 1.2 support.
Reference:
12-05-2018 06:09 PM
AnyConnect must also be upgraded to Release 4.7 for DTLS 1.2 support.
Reference:
12-05-2018 10:40 PM
Thank you Marvin! I've been struggling with this for awhile and of course today the client update is released...
Confirmation session output is shown below.
DTLS-Tunnel:
Tunnel ID : 10156.3
Assigned IP : y.y.y.y Public IP : x.x.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 53241
UDP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Conn Time Out: 1440 Minutes Conn TO Left : 1437 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136
12-05-2018 08:01 PM - edited 12-05-2018 08:06 PM
I just upgraded my lab - FTD 6.3 (includes LINA / ASA release 9.10(1)3) and pushing AnyConnect 4.7.00136. Note the TLS 1.2 connection:
> show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : user1 Index : 5 Assigned IP : 172.31.1.211 Public IP : 192.168.0.107 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1 Bytes Tx : 32022 Bytes Rx : 34713 Pkts Tx : 129 Pkts Rx : 278 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : CCIELab_GP Tunnel Group : CCIELab_VPN Login Time : 03:52:57 UTC Thu Dec 6 2018 Duration : 0h:02m:21s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : ac1f0101000050005c089d19 Security Grp : none Tunnel Zone : 0 AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 5.1 Public IP : 192.168.0.107 Encryption : none Hashing : none TCP Src Port : 23728 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : win Client OS Ver: 10.0.17134 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 8454 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 5.2 Assigned IP : 172.31.1.211 Public IP : 192.168.0.107 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 23732 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 8454 Bytes Rx : 496 Pkts Tx : 6 Pkts Rx : 5 Pkts Tx Drop : 0 Pkts Rx Drop : 0 DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : 172.31.1.211 Public IP : 192.168.0.107 Encryption : AES256 Hashing : SHA1 Ciphersuite : DHE-RSA-AES256-SHA Encapsulation: DTLSv1.0 UDP Src Port : 51520 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 15114 Bytes Rx : 34217 Pkts Tx : 117 Pkts Rx : 273 Pkts Tx Drop : 0 Pkts Rx Drop : 0 > show running-config ssl ssl server-version tlsv1.2 ssl cipher tlsv1.2 high ssl dh-group group1 ssl trust-point VPN_Cert_Enrollment ssl trust-point VPN_Cert_Enrollment Outside-Home >
> show version
---------[ vftd-new.ccielab.mrneteng.com ]----------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.3.0 (Build 83)
UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7
Rules update version : 2018-12-03-001-vrt
VDB version : 307
----------------------------------------------------
> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
vftd-new> show ver
vftd-new> show version
---------[ vftd-new.ccielab.mrneteng.com ]----------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.3.0 (Build 83)
UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7
Rules update version : 2018-12-03-001-vrt
VDB version : 307
----------------------------------------------------
Cisco Adaptive Security Appliance Software Version 9.10(1)3
Firepower Extensible Operating System Version 2.4(1.216)
Compiled on Tue 27-Nov-18 12:00 PST by builders
System image file is "boot:/asa9101-3-smp-k8.bin"
Config file at boot was "startup-config"
vftd-new up 1 hour 0 mins
Hardware: ASAv, 8192 MB RAM, CPU Pentium II 2100 MHz, 1 CPU (4 cores)
Model Id: ASAv30
Internal ATA Compact Flash, 50176MB
Slot 1: ATA Compact Flash, 50176MB
BIOS Flash Firmware Hub @ 0x0, 0KB
0: Int: Internal-Data0/0 : address is 000c.2924.8e3e, irq 10
1: Ext: GigabitEthernet0/0 : address is 000c.2924.8e48, irq 5
2: Ext: GigabitEthernet0/1 : address is 000c.2924.8e52, irq 9
3: Ext: GigabitEthernet0/2 : address is 000c.2924.8e5c, irq 11
4: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
5: Int: Internal-Data0/0 : address is 0000.0000.0000, irq 0
6: Ext: Management0/0 : address is 000c.2924.8e3e, irq 0
7: Int: Internal-Data0/1 : address is 0000.0000.0000, irq 0
8: Int: Internal-Data0/2 : address is 0000.0000.0000, irq 0
Serial Number: 9ADK32SQAT2
Image type : Release
Key version : A
Configuration last modified by enable_1 at 03:41:24.871 UTC Thu Dec 6 2018
vftd-new>
12-06-2018 07:35 AM
Marvin, the config print out from your lab lists the the DTLS tunnel as using TLS 1.1 and SHA1. Was this an oversite in the thread?
Solved: Re: AnyConnect new feature - DTLSv1.2 - Cisco Community
DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : 172.31.1.211 Public IP : 192.168.0.107 Encryption : AES256 Hashing : SHA1 Ciphersuite : DHE-RSA-AES256-SHA Encapsulation: DTLSv1.0 UDP Src Port : 51520 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 15114 Bytes Rx : 34217 Pkts Tx : 117 Pkts Rx : 273 Pkts Tx Drop : 0 Pkts Rx Drop : 0
12-06-2018 07:37 AM
I noticed that. TLS is 1.2, DTLS is not.
I'm wondering if it's FTD vs. ASA thing. I need to upgrade my ASAv to 9.10(1) and compare.
12-13-2018 08:43 AM
I have scanned the requirements. Anyconnect 4.7 is required to enable TLS1.2. Do you also have to have a ECDHE Public Certificate? I am a little confused. There is a requirement for cipher strength in the documentation that I saw. Is this the case? 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384'
12-13-2018 09:21 AM
From what I've seen, ciphers that start with ECDHE-RSA do not require an EC certificate. Ciphers that start with ECDHE-ECDSA do.
12-13-2018 10:30 AM
12-13-2018 11:00 AM
We were using v4.2 clients with v9.9 ASA code. I don't see 9.10.1 code as having a problem with older client versions. It's more like older client versions don't support more recently implemented features. If you are doing the same things, it shouldn't be a problem...but always test.
12-14-2018 10:45 AM - edited 12-14-2018 10:46 AM
I have tested ASA 9.10.1 with AnyConnect 4.7 and TLS 1.2. Connection comes up and shows correct DTLS version. as noted by others 4.7 is required for DTLS 1.2. Previous version of AnyConnect will work with this version of ASA, but will not connect with DTLS 1.2.
12-17-2018 10:51 AM
12-17-2018 12:03 PM
Thanks arnert, that's good to know! There is also an LDAP bug in 9.10.1 we're seeing that causes ASA to crash. It's not published yet, but if you use LDAP to authenticate users I'd suggest not upgrading yet.
02-13-2019 01:53 PM
Marvin,
The show results you provided still shows DTLSv1.0 not 1.2 under TDLS-Tunnel: The red you highlighted is for TLS, not DTLS. Any ideas?
02-14-2019 03:54 AM - edited 02-14-2019 04:06 AM
As @stsargen noted, it seems the DTLS 1.2 is supported in native ASA 9.10.1. However my testing shows it does NOT appear to be supported in FTD 6.3.0 that includes ASA 9.10.1-3 in the LINA (ASA) subsystem.
I just upgraded my ASAv to 9.10.1 and got the following:
ccielab-asa# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : user1 Index : 7 Assigned IP : 172.31.1.200 Public IP : 192.168.0.105 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384 Bytes Tx : 27511 Bytes Rx : 31112 Pkts Tx : 100 Pkts Rx : 225 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : GroupPolicy_ccielab Tunnel Group : ccielab Login Time : 19:46:04 MYT Thu Feb 14 2019 Duration : 0h:02m:44s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : ac1f0115000070005c6554fc Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 7.1 Public IP : 192.168.0.105 Encryption : none Hashing : none TCP Src Port : 13976 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : win Client OS Ver: 10.0.17134 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 8087 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 7.2 Assigned IP : 172.31.1.200 Public IP : 192.168.0.105 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 13979 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 8228 Bytes Rx : 388 Pkts Tx : 7 Pkts Rx : 7 Pkts Tx Drop : 0 Pkts Rx Drop : 0 DTLS-Tunnel: Tunnel ID : 7.3 Assigned IP : 172.31.1.200 Public IP : 192.168.0.105 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384 Encapsulation: DTLSv1.2 UDP Src Port : 56578 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 11580 Bytes Rx : 31050 Pkts Tx : 90 Pkts Rx : 223 Pkts Tx Drop : 0 Pkts Rx Drop : 0 ccielab-asa#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide