I am planning removing an active Algorithm from the SSL settings on our Cisco ASA's.
We have people connected (approx 100).
If I drop the active algorithm but users are connected using this algorithm, what will happen?
I am trying to work out if i need an outage for all users to kick them off first, then remove the active
algorithm from available
I imagine you could use either of these commands (other one is for older software and other for the new) to show the current sessions and if they are using the what you are about to remove.
(old) show vpn-sessiondb svc filter encryption rc4
(new) show vpn-sessiondb anyconnect filter encryption rc4
show vpn-sessiondb webvpn filter encryption rc4
Personally if I am doing any change that might affect a lot of users I would always do this at outside working hours or set up a maintenance.
I have not personally done what you are planning on doing so I dont know what the result will be.
Hope this helps
changing the available ssl encryptions has no effect on connected VPN-users. The sessions will remain and the next VPN-sessions will use the new available encryptions.
From my experience it's best to change that on the CLI:
asa(config)# sh ssl | i cipher
Enabled cipher order: dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 rc4-sha1 aes128-sha1 null-sha1
asa(config)# ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 aes128-sha1
Enabled cipher order: dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 aes128-sha1
Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 null-sha1
The reason for me prefering the CLI here is what you wan't to avoid: Loss of VPN-sessions. Some time ago all sessions were lost when I was changing the order of encryptions in ASDM.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: