Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6142
Views
10
Helpful
2
Replies

Cisco AnyConnect Cipher Suites

Go to solution
houren
Level 1
Level 1

‎05-10-2020 03:56 AM

Hi Community,

 

Do you know where we could find the list of cipher suites supported on Cisco AnyConnect ?

 

thank you. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-10-2020 06:10 AM - edited ‎05-10-2020 06:11 AM

AnyConnect supports many cipher suites. The one that is chosen is the strongest mutually agreeable as configured on the VPN headend (ASA or FTD or IOS router) to which it connects.

The AnyConnect client itself has only some non-comprehensive references to what's supported in the product data sheet:

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/datasheet-c78-733184.html?cachemode=refresh

Is there a specific requirement you are looking to know about? We generally negotiate a pretty strong connection assuming the headend is capable of it. Here's me connecting to my lab running FTD 6.6:

> show vpn-sessiondb detail anyconnect 

Session Type: AnyConnect Detailed

Username     : adm-marvin             Index        : 5
Assigned IP  : 172.31.1.211           Public IP    : 192.168.0.165
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Bytes Tx     : 55647                  Bytes Rx     : 51746
Pkts Tx      : 138                    Pkts Rx      : 400
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : CCIELab_GP             Tunnel Group : CCIELab-VPN
Login Time   : 13:04:31 UTC Sun May 10 2020
Duration     : 0h:01m:51s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : ac1f0101000050005eb7fbdf
Security Grp : none                   Tunnel Zone  : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 5.1
  Public IP    : 192.168.0.165
  Encryption   : none                   Hashing      : none                   
  TCP Src Port : 5859                   TCP Dst Port : 443                    
  Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 28 Minutes             
  Client OS    : win                    
  Client OS Ver: 10.0.18363             
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.8.03052
  Bytes Tx     : 8136                   Bytes Rx     : 0                      
  Pkts Tx      : 6                      Pkts Rx      : 0                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  
SSL-Tunnel:
  Tunnel ID    : 5.2
  Assigned IP  : 172.31.1.211           Public IP    : 192.168.0.165
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384                       
  Encapsulation: TLSv1.2                TCP Src Port : 5863                   
  TCP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 28 Minutes             
  Client OS    : Windows                
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.8.03052
  Bytes Tx     : 8136                   Bytes Rx     : 701                    
  Pkts Tx      : 6                      Pkts Rx      : 9                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
  
DTLS-Tunnel:
  Tunnel ID    : 5.3
  Assigned IP  : 172.31.1.211           Public IP    : 192.168.0.165
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384                     
  Encapsulation: DTLSv1.2               UDP Src Port : 60773                  
  UDP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes             
  Client OS    : Windows                
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.8.03052
  Bytes Tx     : 39375                  Bytes Rx     : 51045                  
  Pkts Tx      : 126                    Pkts Rx      : 391                    
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
  
>

 

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-10-2020 06:10 AM - edited ‎05-10-2020 06:11 AM

AnyConnect supports many cipher suites. The one that is chosen is the strongest mutually agreeable as configured on the VPN headend (ASA or FTD or IOS router) to which it connects.

The AnyConnect client itself has only some non-comprehensive references to what's supported in the product data sheet:

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/datasheet-c78-733184.html?cachemode=refresh

Is there a specific requirement you are looking to know about? We generally negotiate a pretty strong connection assuming the headend is capable of it. Here's me connecting to my lab running FTD 6.6:

> show vpn-sessiondb detail anyconnect 

Session Type: AnyConnect Detailed

Username     : adm-marvin             Index        : 5
Assigned IP  : 172.31.1.211           Public IP    : 192.168.0.165
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Bytes Tx     : 55647                  Bytes Rx     : 51746
Pkts Tx      : 138                    Pkts Rx      : 400
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : CCIELab_GP             Tunnel Group : CCIELab-VPN
Login Time   : 13:04:31 UTC Sun May 10 2020
Duration     : 0h:01m:51s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : ac1f0101000050005eb7fbdf
Security Grp : none                   Tunnel Zone  : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 5.1
  Public IP    : 192.168.0.165
  Encryption   : none                   Hashing      : none                   
  TCP Src Port : 5859                   TCP Dst Port : 443                    
  Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 28 Minutes             
  Client OS    : win                    
  Client OS Ver: 10.0.18363             
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.8.03052
  Bytes Tx     : 8136                   Bytes Rx     : 0                      
  Pkts Tx      : 6                      Pkts Rx      : 0                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  
SSL-Tunnel:
  Tunnel ID    : 5.2
  Assigned IP  : 172.31.1.211           Public IP    : 192.168.0.165
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384                       
  Encapsulation: TLSv1.2                TCP Src Port : 5863                   
  TCP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 28 Minutes             
  Client OS    : Windows                
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.8.03052
  Bytes Tx     : 8136                   Bytes Rx     : 701                    
  Pkts Tx      : 6                      Pkts Rx      : 9                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
  
DTLS-Tunnel:
  Tunnel ID    : 5.3
  Assigned IP  : 172.31.1.211           Public IP    : 192.168.0.165
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384                     
  Encapsulation: DTLSv1.2               UDP Src Port : 60773                  
  UDP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes             
  Client OS    : Windows                
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.8.03052
  Bytes Tx     : 39375                  Bytes Rx     : 51045                  
  Pkts Tx      : 126                    Pkts Rx      : 391                    
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
  
>

 

Go to solution
houren
Level 1
Level 1
In response to Marvin Rhoads

‎05-11-2020 07:14 PM

Thanks Marvin, that was helpful. just wanted to know confirm if there is any references. 

0 Helpful
Customers Also Viewed These Support Documents