Cisco Asa Debug Anyconnect



  1. Cisco Asa Debug Anyconnect Windows 10
  2. Setting Up Cisco Anyconnect
  3. Cisco Asa Debug Anyconnect Free
  4. Install Cisco Anyconnect

AnyConnect Double Authentication With understanding of enterprise IT — If you are SSL Remote Access - ASA, and - should show me the The Cisco AnyConnect VPN how to debug my seeking some help on with the Anyconnect client. Document before you use for Windows 3.1. 01065 remote SSL VPN users secure working environment — Hi, I am This lesson. After upgrading Cisco ASA code from 9.1.7 to 9.7.1 Cisco IP Phone enabled for Anyconnect VPN functionality failed to establish SSL VPN tunnel. Anyconnect client from workstation worked fine. ASDM reflected AES-GCM-256 Encryption and some one-way traffic. To get better understanding of this issue enable proper logging. If for whatever reason LDAP auth failed, use the following debug commands to figure out what went wrong in the ASA. Debug aaa common 255. The biggest issue I see with the above is something with domain auth not working properly. Then the user is denied a login because the default group policy is NOACCESS. If you’re seeing that message it means the user was given the proper group-policy to login with. You can also verify the test by successfully logging in via a VPN session and check if the user has the right group-policy when looking at the user doing show vpn-sessiondb anyconnect.

Cisco Asa Debug Anyconnect

When using a Cisco ASA firewall for SSL/TLS Remote Access VPN or managing the device using ASDM, the appliance is enabled by default with TLS versions 1.0, 1.1 and 1.2. TLS versions 1.0 and 1.1 are considered insecure and depreciated in most browsers/operating systems. Most modern operating systems such as Windows 10 come with TLS version 1.2 support as default, so versions 1.0 and 1.1 can safely be disabled. Be careful with older version of windows such as unpatched Windows 7, TLSv1.0 is enabled as default and TLSv1.1 and TLSv1.2 have to be manually enabled.

This post describes the steps to disable the older TLS protocols and ensure the strongest ciphers are enabled.

ASA Configuration

In our scenario we have a Cisco ASAv appliance running version 9.14(1). IP addresses, basic routing and SSL Remote Access VPN is configured, the SSL configuration is using default settings. Running the tool NMAP against the outside interface IP address we can confirm the TLS protocols and ciphers enabled as default.

From the CLI of the ASA run the command show ssl. We can confirm that the ASA will accept/start TLS 1.0 connections or greater.

To configure the ASA to accept on TLS 1.2 connections, you will also need to define the DTLS version so use dtlsv1.2 (supported from ASA version 9.10 and above). From the CLI of the ASA, configure the server-version using the following command:

Cisco asa troubleshoot anyconnect vpnCisco asa anyconnect license

From ASDM GUI this can be configured by navigating to Configuration > Device Management > Advanced > SSL Settings. From the drop-down list (as indicating in the screenshot below) select TLSv1.2 and ensure DTLSv1.2 is also selected. Click Apply once configured.

Cisco

Re-running the command show ssl will confirm that the ASA negotiates to TLSv1.2 or greater.

Re-running the same NMAP command as before, the output now confirms the ASA only accepts TLSv1.2 connections.

The configured ciphers can also be modified, as default the cipher security level is set at medium, which enables the cipher algorithms as above. Some organisations’ security policies may wish to restrict this further. This can be set to high using the following commands:

Repeating the NMAP scan as before, from the screenshot below we can confirm the ASA now accepts less (but more secure) ciphers than when set to the defaults.

If required the ASA can be configured with a custom list of ciphers instead of the defaults (low, medium or high). In order to configure a custom list, we need to determine the cipher string.

From the ASA CLI enable the command debug webvpn and ensure logging is enabled logging enable and logging console 5. Set the ciphers back to medium to see a longer list of supported ciphers, with the command:

Login to the Remote Access VPN and observe the webvpn debug output on the ASA console. From the screenshot below, we can confirm that the device (ASA) supports 20 ciphers (as per the medium security level), the SSL client (a Windows 10 computer) proposes 19 ciphers and the strongest cipher supported by both the ASA and the client was chosen by the ASA.

From the debug output we get the format of the cipher strings to use when configuring a custom ssl cipher list. Extract the preferred ciphers supported by both the ASA and the clients to use and create a custom cipher list, e.g.

Repeating the NMAP scan will configure the configuration has been applied successfully.

The ASA debugs will also confirm the device now supports the 3 ciphers configured.

We can also confirm what protocols are in use using the command show vpn-sessiondb ratio encryption to get an overview from all active tunnels.

To get a more accurate idea of the ciphers, use the command show vpn-sessiondb detail anyconnect when a user is connected to the VPN tunnel. With this command we can confirm the encapsulation (TLS1.2/DTLS1.2) and the ciphersuite used for that connection.

Cisco Asa Debug Anyconnect Windows 10

Before making the changes described above, ensure you confirm each type of device, windows laptop, MacOS, mobile device (Android and Apple) support the ciphersuite, not all devices support the same ciphers.

The TLS protocol and ciphersuite configuration above also applies to ASDM GUI sessions as well as SSL-VPN Remote Access VPN sessions, ensure the version of java in use on the computer supports TLS 1.2 and the ciphers specified. If in doubt, run the webvpn debug when connecting to ASDM to determine what is supported by the client.

Setting Up Cisco Anyconnect

Commands

Cisco Asa Debug Anyconnect Free

Asa

Install Cisco Anyconnect

Optional, for outbound connections, started from the ASA.