Confused about Ciphers Negotiating between AnyConnect 4.3. and ASA 5512-X / 5525 - X (18.104.22.168)
In our Clientbased - VPN with AnyConnect 4.3.02039 an ASA 5500-X Series with 9.4(3)12 we have to optimize the cipher suites.
Before we had the 3.x Client only supporting TLS 1.0.
Now we changed to TLS 1.2 only an tried to configure more secure ciphers.
- Looks like althoug we do DHE - Suites on top of the priority the negotiation will never choose this for TLS 1.2.
- Depending on the order or number of the configured ciphers (even if reconfigure change TLS 1 or 1.1 or default) the AnyConnect will present the ASA different numbers and different orders of posible Ciphers (between 8 an 37 !)
- Looks like DTLS only can choose AES256-SHA. But I can configure also Ciphers with DHE.
Problem 1 is that for security reason PFS is to choose, but will never be negoatiated.
In some cases the TLS 1.2 do negoatiation to "more secure" ciphers first and immediately do a renegotiating to poorer one.
Problem 2 is that after TLS tunnel is up, it will change to the DTLS tunnel. Same problem with PFS and only SHA.
Looks like something is really buggy.
Where can I find documentation or bug - list which ciphers really supported and the conditions and dependencies from the ordering or dependencies from the configuration of the other TLS (1.0 / 1.1 / or default )?
Is it correct tha i can never see the negoatiating of the DTLS ?
Hi,I was trying to 2fa cisco duo , all the required settings done as per below . The problem is duo cloud does nti not getting any request from the asa . So I am not getting any code from the duo https://www.youtube.com/watch?v=6nEvmc8wji...
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
To participate in this event, please use the button to ask your questions
Here’s your ch...
User Experience Enhancements
As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
Early Access introduces a...
This video features a step by step walk through of configuring Cisco AnyConnect on FTD managed by FMC. Timestamps included for certificate installation, Access Control, Licensing, NAT, and Deployment failures.
I am trying to solve a CSR signing issue in a home lab.Can someone clarify this theoretical point? According to Wikipedia: "Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The...