cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8462
Views
0
Helpful
2
Replies

Remove Active Algorithms ASA - Anyconnect

somerset-cc
Level 1
Level 1

I am planning removing an active Algorithm from the SSL settings on our Cisco ASA's.

We have people connected (approx 100).

If I drop the active algorithm but users are connected using this algorithm, what will happen?

I am trying to work out if i need an outage for all users to kick them off first, then remove the active

algorithm.(RC4-SHA1).

Thanks

Sam

sslALG.bmpalgorithm from available

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I imagine you could use either of these commands (other one is for older software and other for the new) to show the current sessions and if they are using the what you are about to remove.

(old) show vpn-sessiondb svc filter encryption rc4

(new) show vpn-sessiondb anyconnect filter encryption rc4

Or perhaps

show vpn-sessiondb webvpn filter encryption rc4

Personally if I am doing any change that might affect a lot of users I would always do this at outside working hours or set up a maintenance.

I have not personally done what you are planning on doing so I dont know what the result will be.

Hope this helps

- Jouni

changing the available ssl encryptions has no effect on connected VPN-users. The sessions will remain and the next VPN-sessions will use the new available encryptions.

From my experience it's best to change that on the CLI:

asa(config)# sh ssl | i cipher

Enabled cipher order: dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 rc4-sha1 aes128-sha1 null-sha1

asa(config)#

asa(config)# ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 aes128-sha1

asa(config)#

asa(config)# sh ssl | i cipher

Enabled cipher order: dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 aes128-sha1

Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 null-sha1

The reason for me prefering the CLI here is what you wan't to avoid: Loss of VPN-sessions. Some time ago all sessions were lost when I was changing the order of encryptions in ASDM.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: