Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2125
Views
0
Helpful
5
Replies

Does anyconnect SSL use dh group

Alfredcfc
Level 1
Level 1

‎04-06-2020 07:08 PM

The cpu % of our vpn firewall started to climb from last week it's constantly hitting 85-87% during peak times

 

I raised a case with cisco they found that "cert-api" was hogging the cpu and hence they asked be add a command.

 

The exact explanation given by them:

"By default the ASA processes crypto packets in software.  The high CPU of being caused by the CERT API process.  That is being caused by two things, the ASA platform you are on and DH group 5.  So it is the combination of those two things that is causing the CERT API process to go high and thus causing the higher than normal CPU."

 

Because in the firewall that we were using (5520) the dh keying is done in the software not seems and they wanted to move it to hardware

 

So they suggested nthe following command:

crypto large-cert-acceleration enable

 

 

That's all fine but when I check if we are running dh5 with the command  sh ssl

I can't see any dh-groups for ssl connections.

 

And I also check with the command sh vpn-sessiondb detail l2l if any vpn tunnels is running dh 5 group but nope.

 

Does this mean ssl doesn't use dh ?. 

 

And also how does anyconnect select the ciphers then ?.

show ssl.PNG

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎04-06-2020 07:48 PM

Hi

Can you run please the command sh run all ssl and share the output?
You should see something like:
ssl server-version tlsv1 dtlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 medium
ssl dh-group group14

Starting from 9.3.2, you change it using the command ssl dh-group.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Alfredcfc
Level 1
Level 1
In response to Francesco Molino

‎04-07-2020 06:45 AM

Hello Molino,

 

Please find the image.

 

 

Preview file
8 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Alfredcfc

‎04-07-2020 06:53 AM

Which version are you running?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Alfredcfc
Level 1
Level 1
In response to Francesco Molino

‎04-07-2020 09:06 AM

Hi molino,

 

The version is 9.1(2);

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Alfredcfc

‎04-07-2020 08:09 PM

If i recall you can't see it in this version. You need to upgrade to see liked i showed or even change it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents