Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6377
Views
14
Helpful
17
Replies

Cisco anyconnect browser ERR_SSL_Protocol_ERROR

kirillsanin48
Level 1
Level 1

‎03-07-2024 03:26 AM

Good day to everyone.
I have two Cisco ASA running on FPR2130 assembled into a balancing group, for example:
vpn-gw1.example.com
vpn-gw2.example.com
general address vpn.example.com.
Firmware version 9.18.3.56
Anyconnect 4.10.07062

At the moment, all our employees work through profiles with two-factor authentication using SAML. With two-factor authentication, after entering the code from TOTP generator, some users catch the error ERR_SSL_PROTOCOL_ERROR.
While the error is not permanent and may appear to the user a couple of times a week, and then not appear. Some users catch the error stably between 8 a.m. and 10 a.m., after they connect normally, the error may appear on one Gateway and not appear when trying to connect to the second Gateway.

The problem is of a floating nature, one of the most popular solutions is cleaning cookies and cache in the default browser, sometimes deleting the cisco anyconnect profile helps, sometimes cleaning the SSL cache in the browser properties in the control panel

The number of active users in the middle of the day is approximately 1,500 people per device. Most of them do not face the problem, but it is frightening that the problem can manifest itself in anyone at any moment

There is an understanding that the problem is still in the workstations, but maybe someone has encountered and has a universal solution

I will be glad of any help

9 people had this problem
Labels:
Preview file
56 KB
17 Replies 17

muhammad-izzat
Level 1
Level 1
In response to daniel.b@wmc-us.com

‎05-01-2024 04:49 PM

Hi Daniel,

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility Client]
"UseLegacyEmbeddedBrowser"=dword:00000001

 

Blast an email to all department and it works like magic.

0 Helpful

kirillsanin48
Level 1
Level 1

‎04-30-2024 01:51 PM

Hello everyone and thank you so much for your answers, I was helped by updating the cisco asa software version to 9.19.1.24, now on 9.19.1.28 it also works without problems, hope it helps someone

0 Helpful

jason-gauruder
Level 1
Level 1
In response to kirillsanin48

‎05-01-2024 07:11 AM

I wonder if it is because starting in 9.19 , TLS 1.3 is supported for remote access vpn (if using Cisco Secure Client, Version 5.0.01242 and higher) But I wonder if the SAML piece does not care too much about the Secure Client or AnyConnect version for negotiating TLS version.  Just a guess.  Unfortunately the ASA 5516 we are running into this issue on only has up to release 9.14.4 available for download.    For now, we are using the reg key workaround "UseLegacyEmbeddedBrowser"

 

"TLS 1.3 in Remote Access VPN"

"You can now use TLS 1.3 to encrypt remote access VPN connections.
TLS 1.3 adds support for the following ciphers:
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
This feature requires Cisco Secure Client, Version 5.0.01242 and above.
New/Modified commands: sslserver-version, sslclient-version.
New/Modified screens: Configuration > Device Management > Advanced > SSL Settings"

0 Helpful
Customers Also Viewed These Support Documents