Solved: Ciphers supported by the ASA

ROHIT SHARMA · ‎06-25-2022

I have an ASA where the Ciphers support is limited to 256 bit ciphers only. Why is it not showing 384 bit ciphers?

Thanks in advance!

-----------------

ASA# show ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
DHE-RSA-AES256-SHA256 (tlsv1.2, dtlsv1.2)
AES256-SHA256 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES128-SHA256 (tlsv1.2, dtlsv1.2)
AES128-SHA256 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
DES-CBC-SHA (tlsv1)
ASA#

Marvin Rhoads · ‎06-28-2022

AnyConnect Premium (Apex) will enable next generation encryption / Suite B for AnyConnect clients. But the ciphers are not just for AnyConnect and should be available on the ASA itself for use in things like ASDM which uses https (transported over TLS).

If you set your SSL server-version to other than TLS/DTLS 1.2 you will limit the available ciphers.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/vpn/asa-912-vpn-config/vpn-params.html#ID-2443-000004b5

View solution in original post

marce1000 · ‎06-25-2022

- What software version is the ASA running ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ROHIT SHARMA · ‎06-25-2022

9.12(3)12.

I have another ASA running 9.12(4)4, where the Ciphers list much longer. But not sure if its due to versions.

MHM Cisco World · ‎06-25-2022

Yes same ASA same ver but are both use same TLS/SSL version?

balaji.bandi · ‎06-25-2022

Look at the release notes : ( can you post other one show command)

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ROHIT SHARMA · ‎06-26-2022

Could it be due to the fact that AnyConnect Premium is Disabled on this ASA?

Marvin Rhoads · ‎06-28-2022

AnyConnect Premium (Apex) will enable next generation encryption / Suite B for AnyConnect clients. But the ciphers are not just for AnyConnect and should be available on the ASA itself for use in things like ASDM which uses https (transported over TLS).

If you set your SSL server-version to other than TLS/DTLS 1.2 you will limit the available ciphers.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/vpn/asa-912-vpn-config/vpn-params.html#ID-2443-000004b5

ROHIT SHARMA · ‎06-30-2022

Thanks, Marvin. For the below details, is it possible to enable AnyConnect Premium to test if it brings stronger ciphers? After that, we should be able to enable Essentials back as Essentials has 750 peers as compared to 2 in Premium. Please advise.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : 750            perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.
              

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 4              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : 750            perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
              
This platform has an ASA5525 VPN Premium license.

ASA/act# show vpn-s license-summary 
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary                                 
---------------------------------------------------------------------------
                                     Status : Capacity : Installed :  Limit
                                  -----------------------------------------
AnyConnect Premium               : DISABLED :      750 :         4 :   NONE
AnyConnect Essentials            :  ENABLED :      750 :       750 :   NONE
Other VPN (Available by Default) :  ENABLED :      750 :       750 :   NONE
Shared License Server            : DISABLED
Shared License Participant       : DISABLED
AnyConnect for Mobile            : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment     : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone   : DISABLED
VPN-3DES-AES                     :  ENABLED
VPN-DES                          :  ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary                                                 
---------------------------------------------------------------------------
                                             All  :   Peak :  Eff.  :      
                                           In Use : In Use :  Limit : Usage
                                          ---------------------------------
AnyConnect Essentials  :                 :      0 :      3 :    750 :    0%
  Anyconnect Client    :                 :      0 :      3 :    750 :    0%
Other VPN              :                 :      0 :      0 :    750 :    0%
  L2TP Clients
---------------------------------------------------------------------------
              
ASA/act#

Marvin Rhoads · ‎06-30-2022

@ROHIT SHARMA you could try it but be careful not to do so for any period where production users are trying to connect - connections beyond the 2 licensed sessions will not be allowed.

ROHIT SHARMA · ‎06-30-2022

Can you please advise how can I enable premium and then disable it back and whether I'll loose Essentials license by doing it?

Marvin Rhoads · ‎06-30-2022

To enable the Premium licenses just enter "no anyconnect-essentials" in webvpn configure mode.

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# no anyconnect-essentials

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/ad-aq-commands.html#wp3072232846

Just negate the command (i.e. re-enter it without the "no") to re-enable the Essentials licenses. Those licenses are based on the activation-key that's present (in classic ASA hardware) or Smart license (on ASAv and ASA running on Firepower appliances) and not affected by temporarily disabling the feature.

ROHIT SHARMA · ‎06-30-2022

Thanks a lot.