Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5292
Views
6
Helpful
4
Replies

Cisco Anyconnect 4.9 error - Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect

Paul4462
Level 1
Level 1

‎03-31-2021 06:15 AM

Since upgrading to Anyconnect 4.9 I am getting the following error when connecting to an IPSec VPN on a 5525-X ASA: Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect

 

I know 4.9 has dropped support for some D-H groups but I have tried 19, 20, 21 and those do not work either.

 

Has anyone got a working config for a 4.9 IPSec VPN?

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎03-31-2021 06:30 AM - edited ‎03-31-2021 06:43 AM

@Paul4462 

What version of ASA software are you running?

Provide your IKE Policy and IPSec Transform set configuration for review.

Do you have any clients that connect? If so what ciphers do they connect with?

0 Helpful

Paul4462
Level 1
Level 1
In response to Rob Ingram

‎03-31-2021 08:06 AM

Hi Rob,

 

It is running 9.12(4)13.

 

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto ikev2 policy 1
 encryption aes-256
 integrity sha256 
 group 24
 prf sha256
 lifetime seconds 86400

 

The 4.8 clients connect fine using AES-256 but the 4.9 clients will not. Thanks.

0 Helpful

Rob Ingram
VIP
VIP

‎03-31-2021 08:17 AM - edited ‎03-31-2021 08:21 AM

@Paul4462 

As you know the the minimum cryptography settings in AnyConnect 4.9 have been increased. Refer to this blog:-

https://community.cisco.com/t5/security-blogs/anyconnect-4-9-requires-more-stringent-cryptography-settings/ba-p/4115534

 

  • For IKEv2/IPsec, AnyConnect no longer supports the following algorithms:

    • Encryption algorithms: DES and 3DES

    • Psuedo Random Function (PRF) algorithm: MD5

    • Integrity algorithm: MD5

    • Diffie-Hellman (DH) groups: 2, 5, 14, 24

Remove MD5 from the IKEv2 Proposal. Add sha256 or better.

And change the DH group under the IKEv2 policy from 24 to 19, 20 or 21.

 

You've alraedy tried changing the DH groups, I assume (hope) that it's the MD5 integrity algorithm that is going to cause the issue, even though SHA is still defined. If the problem still occurs run an ikev2/ipsec debug and provide the output for review.

Paul4462
Level 1
Level 1

‎04-01-2021 04:06 AM

Thanks, Rob.

 

I have run a debug and found the error below:

 

IKEv2-PLAT-2: Failed to create an IKEv2 Proposal because an AnyConnect Premium license is required to support an IKEv2 remote access connection using NSA Suite B algorithms

 

The ASA had AnyConnect Essentials licensing enabled and this was the issue. After I changed it to AC Premium licenses then the 4.9 client could connect with D-H group 19.

0 Helpful
Customers Also Viewed These Support Documents