05-10-2020 03:56 AM
Hi Community,
Do you know where we could find the list of cipher suites supported on Cisco AnyConnect ?
thank you.
Solved! Go to Solution.
05-10-2020 06:10 AM - edited 05-10-2020 06:11 AM
AnyConnect supports many cipher suites. The one that is chosen is the strongest mutually agreeable as configured on the VPN headend (ASA or FTD or IOS router) to which it connects.
The AnyConnect client itself has only some non-comprehensive references to what's supported in the product data sheet:
Is there a specific requirement you are looking to know about? We generally negotiate a pretty strong connection assuming the headend is capable of it. Here's me connecting to my lab running FTD 6.6:
> show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : adm-marvin Index : 5 Assigned IP : 172.31.1.211 Public IP : 192.168.0.165 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384 Bytes Tx : 55647 Bytes Rx : 51746 Pkts Tx : 138 Pkts Rx : 400 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : CCIELab_GP Tunnel Group : CCIELab-VPN Login Time : 13:04:31 UTC Sun May 10 2020 Duration : 0h:01m:51s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : ac1f0101000050005eb7fbdf Security Grp : none Tunnel Zone : 0 AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 5.1 Public IP : 192.168.0.165 Encryption : none Hashing : none TCP Src Port : 5859 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Client OS : win Client OS Ver: 10.0.18363 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 8136 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 5.2 Assigned IP : 172.31.1.211 Public IP : 192.168.0.165 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 5863 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 8136 Bytes Rx : 701 Pkts Tx : 6 Pkts Rx : 9 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3 DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : 172.31.1.211 Public IP : 192.168.0.165 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384 Encapsulation: DTLSv1.2 UDP Src Port : 60773 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 39375 Bytes Rx : 51045 Pkts Tx : 126 Pkts Rx : 391 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3 >
05-10-2020 06:10 AM - edited 05-10-2020 06:11 AM
AnyConnect supports many cipher suites. The one that is chosen is the strongest mutually agreeable as configured on the VPN headend (ASA or FTD or IOS router) to which it connects.
The AnyConnect client itself has only some non-comprehensive references to what's supported in the product data sheet:
Is there a specific requirement you are looking to know about? We generally negotiate a pretty strong connection assuming the headend is capable of it. Here's me connecting to my lab running FTD 6.6:
> show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : adm-marvin Index : 5 Assigned IP : 172.31.1.211 Public IP : 192.168.0.165 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384 Bytes Tx : 55647 Bytes Rx : 51746 Pkts Tx : 138 Pkts Rx : 400 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : CCIELab_GP Tunnel Group : CCIELab-VPN Login Time : 13:04:31 UTC Sun May 10 2020 Duration : 0h:01m:51s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : ac1f0101000050005eb7fbdf Security Grp : none Tunnel Zone : 0 AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 5.1 Public IP : 192.168.0.165 Encryption : none Hashing : none TCP Src Port : 5859 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Client OS : win Client OS Ver: 10.0.18363 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 8136 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 5.2 Assigned IP : 172.31.1.211 Public IP : 192.168.0.165 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 5863 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 8136 Bytes Rx : 701 Pkts Tx : 6 Pkts Rx : 9 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3 DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : 172.31.1.211 Public IP : 192.168.0.165 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384 Encapsulation: DTLSv1.2 UDP Src Port : 60773 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 39375 Bytes Rx : 51045 Pkts Tx : 126 Pkts Rx : 391 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3 >
05-11-2020 07:14 PM
Thanks Marvin, that was helpful. just wanted to know confirm if there is any references.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide