Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1367
Views
0
Helpful
4
Replies

Ciphers issues on ASAv 9.12

Go to solution
strou
Level 1
Level 1

‎03-19-2020 03:32 PM - edited ‎03-20-2020 05:55 AM

Hi,

I just configured a new ASAv for remote SSL VPN.  I have ciphers concerns and I am not very good at this.

 

The previous VPN (ASA 9.6) had this configuration :

sl server-version tlsv1
ssl cipher default custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5 "
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5 "
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl dh-group group2
ssl ecdh-group group19

 

I configured the new with the same commands, which also had these two new DTLS defaults commands :

ssl server-version tlsv1 dtlsv1

ssl cipher dtlsv1.2 medium

 

The rest is the same.

 

Some users has trouble establishing a connexion.  What would be the best thing to do?  My concern, right now is to allow every users to connect, not improve security.

 

I thought of 

ssl cipher dtlsv1.2 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"

 

what do you think?

 

Thanks,

 

Steve

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
strou
Level 1
Level 1
In response to Rob Ingram

‎03-20-2020 07:32 AM

Hi,

For now, I have some linux users running openconnect that fails to established reliable connexions.  What troubleshooting commands do you propose?

Steve

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-20-2020 06:10 AM

Hi,
Your ciphers are pretty weak, most operating systems should easily support the stronger ciphers. The ciphers may not be the issue.

Are they running the same operating system, as users who are working correctly?
Can you run some debugs on the ASA when they connect and upload the output for review.

HTH
0 Helpful

Go to solution
strou
Level 1
Level 1
In response to Rob Ingram

‎03-20-2020 07:32 AM

Hi,

For now, I have some linux users running openconnect that fails to established reliable connexions.  What troubleshooting commands do you propose?

Steve

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to strou

‎03-20-2020 07:39 AM

debug webvpn 128
debug webvpn anyconnect 238
0 Helpful

Go to solution
strou
Level 1
Level 1
In response to strou

‎03-20-2020 10:57 AM

Hi,

OK we got something.  I opened udp/443 et dtls works now!   I wasn't aware of udp connexion for dtls.

Steve

0 Helpful
Customers Also Viewed These Support Documents