cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1725
Views
21
Helpful
17
Replies

Cisco Anyconnect Compatible IKEv2 Options

KGrev
Level 4
Level 4

Hi,

Just curious if anyone know the upper and lower limits of Cisco Anyconnect? We are using version 4.6.04056 here.

Looking for D-H Groups, encryption, and hash settings.

I'm noticing on our system I'm unable to click on some options and my connection be succesful.

Sorry if this information is already plainly out there, my google fu was failing me.

Thank you for any help.

1 Accepted Solution

Accepted Solutions

@Rob Ingram 

My issue is now resolved. I needed to disable Anyconnect Essentials as explained in this forum.

https://community.cisco.com/t5/vpn/how-does-the-anyconnect-client-decide-its-proposals/m-p/4812203#M288678

View solution in original post

17 Replies 17

KGrev
Level 4
Level 4

Currently my issue is really the DH group. I can only connect at group 5 at the highest.

@KGrev what ASA software version are you running? You'd need to use a newer version to support anything higher than DH group 5. DH group 14 was added in ASA version 9.13

@Rob IngramThanks for your response.

Currently the ASA is at 9.12(4)29. In my asdm i have options for 2,5,14,19,20,24.

@KGrev interesting. The ASA 9.12 VPN guide states DH group 1,2 and 5 is supported - https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/vpn/asa-912-vpn-config/vpn-ike.html

Perhaps you have a newer ASDM version that supports the stronger ciphers but the ASA version does not? What ASDM version do you use?

What about if you configure a new IKEv2 policy via the CLI, what options does it give you for DH group?

 

@Rob IngramIt seems that I can configure any policy at a higher DH group and there is no problem but the anyconnect will not connect above group 5. Could it be that my anyconnect version is too old? The date on it is 2019.

@KGrev you mean you can configure the stronger DH group via the CLI? That would contradict the VPN guide previously shared for your ASA version. If you were using a newer ASDM version it might indicate in the GUI you can configure newer ciphers, but that might be misleading as the configuration would not be applied to the ASA.

You can certainly upgrade AnyConnect, it's very old. Bear in mind from AnyConnect 4.9, DH group 2 and 5 have been depreciated. DH group 15,16,19,20 and 21 are supported https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/feature/guide/anyconnect49features.html

 

 

 

 

 

@Rob IngramThanks for the response. I attaches some pictures of the command it will allow me to enter and the version information if that helps.

20230203_133658.jpg20230203_133741.jpg

@KGrev  modify the IKEv2 Policy #1 to use the stronger DH group, as the lower the number the higher the priority. Then try again.

 

Yes sir @Rob Ingram I didn't mention before but I am trying to edit policy 1. It shows group 2 and 5 currently as those are working at the moment. If I change Policy 1 to a higher group, the anyconnect will not connect.

@KGrev interesting I read the ASA 9.12 ASDM guide which indicates the stronger DH groups are supported...but the ASA 9.12 CLI guide does not. https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/vpn/asdm-712-vpn-config/vpn-asdm-ike.html

Can you try using a newer AnyConnect version (4.9 or newer) and try again please?

You could also try turning on IKEv2 debugs, provide the full output for review.

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116158-trouble-asa-ikev2-00.html

 

yes sir, I will try that now. Thanks @Rob Ingram for hanging with me this long. There are many users on here that seem to be after the quick points and stop responding after a question or two.

@Rob IngramI got the debug info for you. There is a lot. The cellular ip of the peer is 10.225.168.206 in this instance. I had to change certain ip's to "FIREWALL" and such so i hope that doesn't throw you off. To my knowlege, nothing else was trying to create a vpn at this moment. And this debug time is while the ASA had the policy set to DH group 14, 19, 20, 24 instead of 2 and 5.

Thanks for your help.

@KGrev do you have FIPS mode enabled? https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118427-technote-asa-00.html

The error message in your output "Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group" may not be relevant as this condition occurs when establishing an AnyConnect connection with a vpn logging level of 4 (warnings) or greater.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCtx35044

https://community.cisco.com/t5/vpn/ikev2-negotiation-aborted-due-to-error-the-peer-s-ke-payload/td-p/3035482

 

 

 

No sir, fips is disabled.