After upgrading Cisco ASA code from 9.1.7 to 9.7.1 Cisco IP Phone enabled for Anyconnect VPN functionality failed to establish SSL VPN tunnel. Anyconnect client from workstation worked fine. ASDM reflected AES-GCM-256 Encryption and some one-way traffic.
To get better understanding of this issue enable proper logging.
logging class auth buffered debugging
logging class svc buffered debugging
logging class ssl buffered debugging
This command allows to see SSL errors.
sh ssl errors
The following error messages were observed:
error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number@s3_srvr.c:1560
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher@s3_srvr.c:2053
We definitely see issues with SSL cipher versions. Checking current running SSL configuration I found these settings.
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
The fix is to modify SSL ciphers to custom values. Additional ciphers can be added if needed.
ssl cipher default custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
ssl cipher tlsv1 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
ssl cipher tlsv1.1 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
ssl cipher dtlsv1 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
Once custom settings were applied Cisco IP Phone established SSL VPN tunnel.