03-23-2016 11:59 AM
Good Afternoon,
I have an ASA 5525x and an ASA 5555x. Both of them run 9.4(2.6).
The 5525x supports all the new ciphers that are discussed in the release notes.
lab-asa5525x# sh ssl ciphers
Current cipher configuration:
default (fips):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (custom): ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
dtlsv1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
lab-asa5525x#
lab-asa5525x# sh runn all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256"
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point 2016-03.lab-asa Outside
ssl certificate-authentication fca-timeout 2
lab-asa5525x#
The 5555x does not support any of the elliptical curve ciphers that are discussed in the release notes.
ASA5555x-01# sh ssl ciphers
Current cipher configuration:
default (medium):
DHE-RSA-AES256-SHA256
AES256-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1.2 (medium):
DHE-RSA-AES256-SHA256
AES256-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
ASA5555x-01#
ASA5555x-01# sh runn all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point 2016-03.ssl-vpn Outside_85
ssl certificate-authentication fca-timeout 2
ASA5555x-01#
I opened a TAC case and the TAC engineer's 5585 also running 9.4(2.6) does not support the EC ciphers?
Can anyone help me figure out what I am missing ? All -x ASA platforms should support the same features, right?
Thank you
Tim
Solved! Go to Solution.
03-23-2016 01:50 PM
Hello,
Disabling the Anyconnect essentials from the global webvpn setting did the trick here.
CLI:
webvpn
no anyconnect-essentials
Thanks,
03-23-2016 12:23 PM
I would have expected them to support the same ciphers, but the 5585's are a bit different from the rest of the line up.
Just check out the model comparison, and you can see what I mean.
03-23-2016 01:50 PM
Hello,
Disabling the Anyconnect essentials from the global webvpn setting did the trick here.
CLI:
webvpn
no anyconnect-essentials
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide