cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2532
Views
10
Helpful
2
Replies

SSL Ciphers different between 5525x and 5555x ?

Tim Glen
Cisco Employee
Cisco Employee

Good Afternoon, 

I have an ASA 5525x and an ASA 5555x.  Both of them run 9.4(2.6).

The 5525x supports all the new ciphers that are discussed in the release notes. 

lab-asa5525x# sh ssl ciphers
Current cipher configuration:
default (fips):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (custom): ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
dtlsv1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
lab-asa5525x#
lab-asa5525x# sh runn all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256"
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point 2016-03.lab-asa Outside
ssl certificate-authentication fca-timeout 2
lab-asa5525x#

The 5555x does not support any of the elliptical curve ciphers that are discussed in the release notes. 

ASA5555x-01# sh ssl ciphers
Current cipher configuration:
default (medium):
DHE-RSA-AES256-SHA256
AES256-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1.2 (medium):
DHE-RSA-AES256-SHA256
AES256-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
ASA5555x-01#
ASA5555x-01# sh runn all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point 2016-03.ssl-vpn Outside_85
ssl certificate-authentication fca-timeout 2
ASA5555x-01#

I opened a TAC case and the TAC engineer's 5585 also running 9.4(2.6) does not support the EC ciphers?  

Can anyone help me figure out what I am missing ?    All -x ASA platforms should support the same features, right? 

Thank you

Tim

1 Accepted Solution

Accepted Solutions

Diego Lopez
Level 1
Level 1

Hello,

Disabling the Anyconnect essentials from the global webvpn setting did the trick here.

CLI:

webvpn

no anyconnect-essentials

Thanks,

View solution in original post

2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

I would have expected them to support the same ciphers, but the 5585's are a bit different from the rest of the line up.

Just check out the model comparison, and you can see what I mean.

http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/models-comparison.html

Diego Lopez
Level 1
Level 1

Hello,

Disabling the Anyconnect essentials from the global webvpn setting did the trick here.

CLI:

webvpn

no anyconnect-essentials

Thanks,