cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1368
Views
0
Helpful
4
Replies

Ciphers issues on ASAv 9.12

strou
Level 1
Level 1

Hi,

I just configured a new ASAv for remote SSL VPN.  I have ciphers concerns and I am not very good at this.

 

The previous VPN (ASA 9.6) had this configuration :

sl server-version tlsv1
ssl cipher default custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5 "
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5 "
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl dh-group group2
ssl ecdh-group group19

 

I configured the new with the same commands, which also had these two new DTLS defaults commands :

ssl server-version tlsv1 dtlsv1

ssl cipher dtlsv1.2 medium

 

The rest is the same.

 

Some users has trouble establishing a connexion.  What would be the best thing to do?  My concern, right now is to allow every users to connect, not improve security.

 

I thought of 

ssl cipher dtlsv1.2 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"

 

what do you think?

 

Thanks,

 

Steve

1 Accepted Solution

Accepted Solutions

Hi,

For now, I have some linux users running openconnect that fails to established reliable connexions.  What troubleshooting commands do you propose?

Steve

View solution in original post

4 Replies 4

Hi,
Your ciphers are pretty weak, most operating systems should easily support the stronger ciphers. The ciphers may not be the issue.

Are they running the same operating system, as users who are working correctly?
Can you run some debugs on the ASA when they connect and upload the output for review.

HTH

Hi,

For now, I have some linux users running openconnect that fails to established reliable connexions.  What troubleshooting commands do you propose?

Steve

debug webvpn 128
debug webvpn anyconnect 238

Hi,

OK we got something.  I opened udp/443 et dtls works now!   I wasn't aware of udp connexion for dtls.

Steve