cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
168
Views
0
Helpful
2
Replies
Highlighted

Log Anyconnect used ciphers and protocols

Hi

 

We are planning to disable some old ciphers and protocols on a clients Anyconnect setup to improve security.

They have a wide variety of clients which connect to the SSL VPN that use all kind of old ciphers.

 

To minimize impact and to gain some visibility into the Annyconnect connections:

Is there a way to log the Anyconnect connection events?

In particular which ciphers/protocols are being utilized?

Or have an overview on the ASA?

 

This way we can see if there are any legacy devices connecting which don't support the newer cipher/protocols.

 

Thanks!

2 REPLIES 2
Highlighted
VIP Mentor

Hi @Kenzo De Ruysscher 

You can use the command "show vpn-sessiondb ratio encryption" to determine which protocols are in use by the clients.

 

You should ensure ASA software is version 9.10 or newer and AnyConnect 4.7 or newer, to ensure the use support of the latest ciphers.

 

HTH

Highlighted

Hi @Rob Ingram 

 

Thanks, this indeed gives a nice overview of the encryption methods!

And you're able to filter on Tunnel-Group which is nice.

 

Is there a way to also get following information (in bolt), especially the TLS and DTLS versions, in a nice overview:


Username : test Index : 42519
Assigned IP : 192.168.200.66 Public IP : X.X.X.X
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA1
Bytes Tx : 252108 Bytes Rx : 151434
Pkts Tx : 682 Pkts Rx : 843
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GP_FG-SEC-AnyConnect-FullVPNTunnel
Tunnel Group : TG_RA_localauth
Login Time : 09:06:24 GMT+2 Fri Oct 23 2020
Duration : 0h:11m:24s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a80a010a6170005f9280f0
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 42519.1
Public IP : X.X.X.X
Encryption : none Hashing : none
TCP Src Port : 57278 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 180 Minutes Idle TO Left : 168 Minutes
Conn Time Out: 480 Minutes Conn TO Left : 468 Minutes
Client OS : win
Client OS Ver: 10.0.17763
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.01095
Bytes Tx : 5278 Bytes Rx : 0
Pkts Tx : 4 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 42519.2
Assigned IP : 192.168.X.X Public IP : X.X.X.X
Encryption : AES256 Hashing : SHA256
Ciphersuite : DHE-RSA-AES256-SHA256
Encapsulation: TLSv1.2 TCP Src Port : 57282
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 180 Minutes Idle TO Left : 168 Minutes
Conn Time Out: 480 Minutes Conn TO Left : 468 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.01095
Bytes Tx : 5639 Bytes Rx : 330
Pkts Tx : 6 Pkts Rx : 5
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 42519.3
Assigned IP : 192.168.X.X Public IP : X.X.X.X
Encryption : AES128 Hashing : SHA1
Ciphersuite : AES128-SHA
Encapsulation: DTLSv1.0 UDP Src Port : 59446
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 180 Minutes Idle TO Left : 179 Minutes
Conn Time Out: 480 Minutes Conn TO Left : 468 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.01095
Bytes Tx : 241191 Bytes Rx : 151104
Pkts Tx : 672 Pkts Rx : 838
Pkts Tx Drop : 0 Pkts Rx Drop : 0

 

Thanks!