Showing results for 
Search instead for 
Did you mean: 

Confused about Ciphers Negotiating between AnyConnect 4.3. and ASA 5512-X / 5525 - X (


In our Clientbased - VPN with AnyConnect 4.3.02039 an ASA 5500-X Series with 9.4(3)12 we have to optimize the cipher suites.

Before we had the 3.x Client only supporting TLS 1.0.

Now we changed to TLS 1.2 only an tried to configure more secure ciphers.

- Looks like althoug we do DHE - Suites on top of the priority the negotiation will never choose this for TLS 1.2.

- Depending on the order or number of the configured ciphers (even if reconfigure change TLS 1 or 1.1 or default) the AnyConnect will present the ASA different numbers and different orders of posible Ciphers (between 8 an 37 !)

- Looks like DTLS only can choose AES256-SHA. But I can configure also Ciphers with DHE.

Problem 1 is that for security reason PFS is to choose, but will never be negoatiated.

In some cases the TLS 1.2 do negoatiation to "more secure" ciphers first and immediately do a renegotiating to poorer one.

Problem 2 is that after TLS tunnel is up, it will change to the DTLS tunnel. Same problem with PFS and only SHA.

Looks like something is really buggy.

Where can I find documentation or bug - list which ciphers really supported and the conditions and dependencies from the ordering or dependencies from the configuration of the other TLS (1.0 / 1.1 / or default )?

Is it correct tha i can never see the negoatiating of the DTLS ?

Thanks for help


VIP Advocate



Yeah its really confusing, but I think the following bugs explain what could be happening:

Anyconnect failure when custom ciphers DHE-RSA are used - CSCuz41966

This may be the cause that none of the DHE algorithms are selected when the TLS tunnel is established -causing AES256-SHA to be chosen as this is second in your list on the ASA.

DTLS still uses TLS1.0 meaning none of the new algorithms are supported anyway. The following enhancement bug has been raised for this support:

CSCux68801 - ASA: Add Support of DTLS 1.2 (RFC 6347)

Best way would be open a TAC case and confirm the same. Good analysis btw :-)