cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2929
Views
0
Helpful
5
Replies

Does anyconnect SSL use dh group

Alfredcfc
Level 1
Level 1

The cpu % of our vpn firewall started to climb from last week it's constantly hitting 85-87% during peak times

 

I raised a case with cisco they found that "cert-api" was hogging the cpu and hence they asked be add a command.

 

The exact explanation given by them:

"By default the ASA processes crypto packets in software.  The high CPU of being caused by the CERT API process.  That is being caused by two things, the ASA platform you are on and DH group 5.  So it is the combination of those two things that is causing the CERT API process to go high and thus causing the higher than normal CPU."

 

Because in the firewall that we were using (5520) the dh keying is done in the software not seems and they wanted to move it to hardware

 

So they suggested nthe following command:

crypto large-cert-acceleration enable

 

 

That's all fine but when I check if we are running dh5 with the command  sh ssl

I can't see any dh-groups for ssl connections.

 

And I also check with the command sh vpn-sessiondb detail l2l if any vpn tunnels is running dh 5 group but nope.

 

Does this mean ssl doesn't use dh ?. 

 

And also how does anyconnect select the ciphers then ?.

show ssl.PNG

5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Can you run please the command sh run all ssl and share the output?
You should see something like:
ssl server-version tlsv1 dtlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 medium
ssl dh-group group14

Starting from 9.3.2, you change it using the command ssl dh-group.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Molino,

 

Please find the image.

 

 

Which version are you running?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi molino,

 

The version is 9.1(2);

If i recall you can't see it in this version. You need to upgrade to see liked i showed or even change it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question