Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4757
Views
40
Helpful
17
Replies

TCP Access Denied by ACL

Go to solution
wynneitmgr
Level 3
Level 3

‎01-22-2021 11:05 AM

I am unable to connect to our VPN using Cisco AnyConnect on any phones or tablets. We have no problems using AnyConnect on a PC. Getting the following error: TCP access denied by ACL from xxx.xxx.xxx.xx/49279 to outside:xx.xxx.xxx.xx/80.

 

Thank you!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 12:23 PM

Ok, fine that session was also using - ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

So you could probably remove DES-CBC-SHA from the TLS 1.0, TLS 1.1 and DTLS 1.0 configuration

View solution in original post

17 Replies 17

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:09 AM

Hi @wynneitmgr 

Are you sure that is related to this issue?

The destination port in that output is tp/80, but AnyConnect VPN using tcp/443 (amongst others), not tcp/80.

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎01-22-2021 11:11 AM

@Rob Ingram 

It seems every time I try to connect to VPN using AnyConnect on my phone and it fails, I then see this show error show up in the logs on ASDM at the same time.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:14 AM

Ok, I assume the destination is the IP address of your outside interface?

Has the VPN ever worked from your phone?

What make/model of phone is it?

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎01-22-2021 11:17 AM

Yes it has always worked from phones. Not sure when it actually stopped. Samsung S20

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:23 AM

Is it running Android 11 and is it running the latst version of AnyConnect?

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎01-22-2021 11:27 AM

@Rob Ingram 

Cisco TAC just helped me out. We changed the SSL Ciphers and that fixed the issue.

ssl cipher default custom "AES256-SHA256:AES256-SHA:AES128-SHA" 

ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" 

ssl cipher tlsv1.1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" 

ssl cipher tlsv1.2 custom "AES256-SHA256:AES256-SHA:AES128-SHA" 

ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:31 AM

Ok, thanks for posting the update.

Interesting, I assume that means perhaps the android phones don't support some of the ciphers you were previously using and probably now using weaker ciphers? - this "DES-CBC3-SHA" is very weak.

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎01-22-2021 11:38 AM

@Rob Ingram 

So are you saying it is not good to use the DES-CBC3-SHA ciphers? Are they not secure? Where can I find SSL ciphers? Are they listed somewhere online?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:43 AM

@wynneitmgr 

No it's considered weak. If you connect a phone to the VPN and run the command "show vpn-session detail anyconnect" from the CLI and provide the output for review, we should be able to determine exactly which cipher is in use and perhaps remove the DES-CBC3-SHA (there are 2 others specified in the configuration above).

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎01-22-2021 11:49 AM

@Rob Ingram 

I am connected to VPN via AnyConnect on my phone and I ran the show vpn-session detail anyconnect command. It had a very long output; what hsould I look for in the output?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:54 AM - edited ‎01-22-2021 11:55 AM

@wynneitmgr 

Look out of Encryption, Hashing, Ciphersuite, Encapsulation. Provide a screenshot if easier.

If you have multiple VPNs established, ensure you are looking at the correct VPN - look for "username".

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎01-22-2021 11:59 AM

@Rob Ingram 

Here is what I see:

Encryption : AES256

Hashing : SHA256
Ciphersuite : AES256-SHA256

Encapsulation: TLSv1.2

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to wynneitmgr

‎01-22-2021 12:05 PM

That's ok, that means you are actually using the encapsulation and cipher highlighted below. So that phone isn't actually using DES-CBC3-SHA, if you wanted to, you could safely remove it and try again to confirm it still works.

 

ssl cipher default custom "AES256-SHA256:AES256-SHA:AES128-SHA"

ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher tlsv1.1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher tlsv1.2 custom "AES256-SHA256:AES256-SHA:AES128-SHA"

ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

 

For each user, you'll actually have a couple of tunnels (TLS and DTLS) - you've probably another tunnel for that user for DTLS encapsulation. Just double check and confirm what is in use for DTLS.

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎01-22-2021 12:16 PM

@Rob Ingram 

The DTLS Tunnel shows:

Encryption : AES256

Hashing : SHA1
Ciphersuite : AES256-SHA
Encapsulation: DTLSv1.0

0 Helpful
Customers Also Viewed These Support Documents