06-25-2022 07:34 AM
I have an ASA where the Ciphers support is limited to 256 bit ciphers only. Why is it not showing 384 bit ciphers?
Thanks in advance!
-----------------
ASA# show ssl ciphers all These are the ciphers for the given cipher level; not all ciphers are supported by all versions of SSL/TLS. These names can be used to create a custom cipher list DHE-RSA-AES256-SHA256 (tlsv1.2, dtlsv1.2) AES256-SHA256 (tlsv1.2, dtlsv1.2) DHE-RSA-AES128-SHA256 (tlsv1.2, dtlsv1.2) AES128-SHA256 (tlsv1.2, dtlsv1.2) DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2) AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2) DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2) AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2) DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2) DES-CBC-SHA (tlsv1) ASA#
Solved! Go to Solution.
06-28-2022 08:25 AM
AnyConnect Premium (Apex) will enable next generation encryption / Suite B for AnyConnect clients. But the ciphers are not just for AnyConnect and should be available on the ASA itself for use in things like ASDM which uses https (transported over TLS).
If you set your SSL server-version to other than TLS/DTLS 1.2 you will limit the available ciphers.
Reference:
06-25-2022 08:20 AM
- What software version is the ASA running ?
M.
06-25-2022 08:29 AM
9.12(3)12.
I have another ASA running 9.12(4)4, where the Ciphers list much longer. But not sure if its due to versions.
06-25-2022 09:21 AM
Yes same ASA same ver but are both use same TLS/SSL version?
06-25-2022 10:37 AM
Look at the release notes : ( can you post other one show command)
https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html
06-26-2022 04:38 AM
Could it be due to the fact that AnyConnect Premium is Disabled on this ASA?
06-28-2022 08:25 AM
AnyConnect Premium (Apex) will enable next generation encryption / Suite B for AnyConnect clients. But the ciphers are not just for AnyConnect and should be available on the ASA itself for use in things like ASDM which uses https (transported over TLS).
If you set your SSL server-version to other than TLS/DTLS 1.2 you will limit the available ciphers.
Reference:
06-30-2022 01:33 AM
Thanks, Marvin. For the below details, is it possible to enable AnyConnect Premium to test if it brings stronger ciphers? After that, we should be able to enable Essentials back as Essentials has 750 peers as compared to 2 in Premium. Please advise.
Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 200 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual Carrier : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : 750 perpetual Other VPN Peers : 750 perpetual Total VPN Peers : 750 perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual Shared License : Disabled perpetual Total TLS Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual IPS Module : Disabled perpetual Cluster : Enabled perpetual Cluster Members : 2 perpetual This platform has an ASA5525 VPN Premium license. Failover cluster licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 200 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 4 perpetual Carrier : Disabled perpetual AnyConnect Premium Peers : 4 perpetual AnyConnect Essentials : 750 perpetual Other VPN Peers : 750 perpetual Total VPN Peers : 750 perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual Shared License : Disabled perpetual Total TLS Proxy Sessions : 4 perpetual Botnet Traffic Filter : Disabled perpetual IPS Module : Disabled perpetual Cluster : Enabled perpetual This platform has an ASA5525 VPN Premium license. ASA/act# show vpn-s license-summary --------------------------------------------------------------------------- VPN Licenses and Configured Limits Summary --------------------------------------------------------------------------- Status : Capacity : Installed : Limit ----------------------------------------- AnyConnect Premium : DISABLED : 750 : 4 : NONE AnyConnect Essentials : ENABLED : 750 : 750 : NONE Other VPN (Available by Default) : ENABLED : 750 : 750 : NONE Shared License Server : DISABLED Shared License Participant : DISABLED AnyConnect for Mobile : DISABLED(Requires Premium or Essentials) Advanced Endpoint Assessment : DISABLED(Requires Premium) AnyConnect for Cisco VPN Phone : DISABLED VPN-3DES-AES : ENABLED VPN-DES : ENABLED --------------------------------------------------------------------------- --------------------------------------------------------------------------- VPN Licenses Usage Summary --------------------------------------------------------------------------- All : Peak : Eff. : In Use : In Use : Limit : Usage --------------------------------- AnyConnect Essentials : : 0 : 3 : 750 : 0% Anyconnect Client : : 0 : 3 : 750 : 0% Other VPN : : 0 : 0 : 750 : 0% L2TP Clients --------------------------------------------------------------------------- ASA/act#
06-30-2022 08:29 AM
@ROHIT SHARMA you could try it but be careful not to do so for any period where production users are trying to connect - connections beyond the 2 licensed sessions will not be allowed.
06-30-2022 08:52 AM
Can you please advise how can I enable premium and then disable it back and whether I'll loose Essentials license by doing it?
06-30-2022 09:30 AM
To enable the Premium licenses just enter "no anyconnect-essentials" in webvpn configure mode.
ciscoasa(config)# webvpn ciscoasa(config-webvpn)# no anyconnect-essentials
Just negate the command (i.e. re-enter it without the "no") to re-enable the Essentials licenses. Those licenses are based on the activation-key that's present (in classic ASA hardware) or Smart license (on ASAv and ASA running on Firepower appliances) and not affected by temporarily disabling the feature.
06-30-2022 10:40 AM
Thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide