cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5567
Views
40
Helpful
17
Replies

TCP Access Denied by ACL

wynneitmgr
Level 3
Level 3

I am unable to connect to our VPN using Cisco AnyConnect on any phones or tablets. We have no problems using AnyConnect on a PC. Getting the following error: TCP access denied by ACL from xxx.xxx.xxx.xx/49279 to outside:xx.xxx.xxx.xx/80.

 

Thank you!

1 Accepted Solution

Accepted Solutions

Ok, fine that session was also using - ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

So you could probably remove DES-CBC-SHA from the TLS 1.0, TLS 1.1 and DTLS 1.0 configuration

View solution in original post

17 Replies 17

Hi @wynneitmgr 

Are you sure that is related to this issue?

The destination port in that output is tp/80, but AnyConnect VPN using tcp/443 (amongst others), not tcp/80.

@Rob Ingram 

It seems every time I try to connect to VPN using AnyConnect on my phone and it fails, I then see this show error show up in the logs on ASDM at the same time.

Ok, I assume the destination is the IP address of your outside interface?

Has the VPN ever worked from your phone?

What make/model of phone is it?

Yes it has always worked from phones. Not sure when it actually stopped. Samsung S20

Is it running Android 11 and is it running the latst version of AnyConnect?

@Rob Ingram 

Cisco TAC just helped me out. We changed the SSL Ciphers and that fixed the issue.

ssl cipher default custom "AES256-SHA256:AES256-SHA:AES128-SHA" 

ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" 

ssl cipher tlsv1.1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" 

ssl cipher tlsv1.2 custom "AES256-SHA256:AES256-SHA:AES128-SHA" 

ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

 

Ok, thanks for posting the update.

Interesting, I assume that means perhaps the android phones don't support some of the ciphers you were previously using and probably now using weaker ciphers? - this "DES-CBC3-SHA" is very weak.

@Rob Ingram 

So are you saying it is not good to use the DES-CBC3-SHA ciphers? Are they not secure? Where can I find SSL ciphers? Are they listed somewhere online?

@wynneitmgr 

No it's considered weak. If you connect a phone to the VPN and run the command "show vpn-session detail anyconnect" from the CLI and provide the output for review, we should be able to determine exactly which cipher is in use and perhaps remove the DES-CBC3-SHA (there are 2 others specified in the configuration above).

@Rob Ingram 

I am connected to VPN via AnyConnect on my phone and I ran the show vpn-session detail anyconnect command. It had a very long output; what hsould I look for in the output?

@wynneitmgr 

Look out of Encryption, Hashing, Ciphersuite, Encapsulation. Provide a screenshot if easier.

If you have multiple VPNs established, ensure you are looking at the correct VPN - look for "username".

@Rob Ingram 

Here is what I see:

Encryption : AES256

Hashing : SHA256
Ciphersuite : AES256-SHA256

Encapsulation: TLSv1.2

That's ok, that means you are actually using the encapsulation and cipher highlighted below. So that phone isn't actually using DES-CBC3-SHA, if you wanted to, you could safely remove it and try again to confirm it still works.

 

ssl cipher default custom "AES256-SHA256:AES256-SHA:AES128-SHA"

ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher tlsv1.1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher tlsv1.2 custom "AES256-SHA256:AES256-SHA:AES128-SHA"

ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

 

For each user, you'll actually have a couple of tunnels (TLS and DTLS) - you've probably another tunnel for that user for DTLS encapsulation. Just double check and confirm what is in use for DTLS.

@Rob Ingram 

The DTLS Tunnel shows:

Encryption : AES256

Hashing : SHA1
Ciphersuite : AES256-SHA
Encapsulation: DTLSv1.0