Cisco ASA: Anyconnect VPN Phone fails to connect after ASA code upgrade

After upgrading Cisco ASA code from 9.1.7 to 9.7.1 Cisco IP Phone enabled for Anyconnect VPN functionality failed to establish SSL VPN tunnel. Anyconnect client from workstation worked fine. ASDM reflected AES-GCM-256 Encryption and some one-way traffic.

To get better understanding of this issue enable proper logging.

logging class auth buffered debugging
logging class svc buffered debugging
logging class ssl buffered debugging

This command allows to see SSL errors.

sh ssl errors

The following error messages were observed:

error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number@s3_srvr.c:1560
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher@s3_srvr.c:2053

We definitely see issues with SSL cipher versions. Checking current running SSL configuration I found these settings.

ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium

The fix is to modify SSL ciphers to custom values. Additional ciphers can be added if needed.

ssl cipher default custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
ssl cipher tlsv1 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
ssl cipher tlsv1.1 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”
ssl cipher dtlsv1 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA”

Once custom settings were applied Cisco IP Phone established SSL VPN tunnel.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar