Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2592
Views
0
Helpful
5
Replies

Anyconnect TLS 1.3 browser error

Go to solution
BorislavPenchev0962
Level 3
Level 3

‎05-30-2022 12:25 AM

Hello,

we use SSL VPN with Anyconnect VPN Client. Service runs on Cisco3945E Router.

to load the VPN Client a Website should be opened, ex. https://shave.systems.at/khstp,then comes the Downloadlink.
we noticed that newer Browser versions does not show the Website as TLS Version 1.2 is outdated and Version 1.3 is requested;
we could not find how to enable TLS 1.3 on Router?

Chrome reports: err_ssl_version_or_cipher_mismatch

when we test with Internet Explorer 21H2 access is ok, but with newer browser version does not work:

eg. FF 100, Edge etc

 

Regards

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to BorislavPenchev0962

‎06-03-2022 02:12 AM

@BorislavPenchev0962

A Cisco router is not the idea platform for a SSL-VPN, if using a router for a Remote Access VPN then the recommended solution is FlexVPN, which utilises IKEv2/IPSec - TLS support would not be required.

 

Though the ideal Cisco platform for Remote Access VPN is the FTD or to a lesser extent the ASA, you can then run TLS or IKEv2/IPSec.

View solution in original post

0 Helpful

Go to solution
BorislavPenchev0962
Level 3
Level 3

‎06-17-2022 02:48 AM

some details we got on this case:

 

TLS version 1.3 is introduced in IOS XE 17.8.1, as per the following link:
https://community.cisco.com/t5/networking-blogs/what-s-new-ios-xe-17-8-routing-release-update/ba-p/4601982

Besides that, I suggest you take a look at the Catalyst 8500 family, as this family is the next generation of the fixed ASR1k family, providing better performance and scale: https://www.cisco.com/c/en/us/products/collateral/routers/catalyst-8500-series-edge-platforms/datasheet-c78-744089.html

 

in case this is for SSL VPN use ? I say so because it seems TLS 1.3 will be supported only on C8000v, not any hardware-based platform.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-30-2022 01:51 AM 

Cisco3945E Router

going to be End of Life soon, what IOS code running on this router, as per i know with the information, the current version of code not support, try OLD browsers and test is that works, then enable 1.2 support in the browser and test it.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
BorislavPenchev0962
Level 3
Level 3
In response to balaji.bandi

‎06-01-2022 03:39 AM - edited ‎06-01-2022 09:23 PM

with TLS 1.2 works for this Router Cisco 3945E

current IOS 15.7(3)M8

 

#sh ip http server secure status

HTTP secure server TLS version:  TLSv1.2 TLSv1.1 TLSv1.0

 

as router does not show TLSv1.3 we get the error on the Website;

 browsers are TLS1.3 compatible, but not sure for router;

0 Helpful

Go to solution
BorislavPenchev0962
Level 3
Level 3

‎06-03-2022 02:04 AM

where can we check TLSv1.3 compatibility with ASR1001  as we will move eventually to this platform in future;

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to BorislavPenchev0962

‎06-03-2022 02:12 AM

@BorislavPenchev0962

A Cisco router is not the idea platform for a SSL-VPN, if using a router for a Remote Access VPN then the recommended solution is FlexVPN, which utilises IKEv2/IPSec - TLS support would not be required.

 

Though the ideal Cisco platform for Remote Access VPN is the FTD or to a lesser extent the ASA, you can then run TLS or IKEv2/IPSec.

0 Helpful

Go to solution
BorislavPenchev0962
Level 3
Level 3

‎06-17-2022 02:48 AM

some details we got on this case:

 

TLS version 1.3 is introduced in IOS XE 17.8.1, as per the following link:
https://community.cisco.com/t5/networking-blogs/what-s-new-ios-xe-17-8-routing-release-update/ba-p/4601982

Besides that, I suggest you take a look at the Catalyst 8500 family, as this family is the next generation of the fixed ASR1k family, providing better performance and scale: https://www.cisco.com/c/en/us/products/collateral/routers/catalyst-8500-series-edge-platforms/datasheet-c78-744089.html

 

in case this is for SSL VPN use ? I say so because it seems TLS 1.3 will be supported only on C8000v, not any hardware-based platform.

0 Helpful
Customers Also Viewed These Support Documents