Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NSP
Anyconnect VPN on IOS that supports TLS 1.2
chuckchurch at gmail
Aug 7, 2020, 10:46 AM
Post #1 of 3 (589 views)
Permalink
Hey all,



I've got a small company I support occasionally that deploys
Anyconnect VPN service on small ISR G2 models for customers. It seems that
recently Chrome and it seems like Edge and IE are not allowing connections
to TLS 1.0 or anything SSL. It appears that based on googling this is a
known issue, that was resolved on ASA with a recent 9.x release. Anyone
know a work-around for IOS 15.x? Once the users of the VPN login once to
the portal page then can install the anyconnect client and never use the
browser again. But that first time is an issue. The configs are good,
works fine on older Firefox versions.



Thanks,



Chuck

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Anyconnect VPN on IOS that supports TLS 1.2 [ In reply to ]
lists at ltri
Aug 7, 2020, 12:05 PM
Post #2 of 3 (589 views)
Permalink
Hello,

On Fri, 7 Aug 2020 at 19:46, Chuck Church <chuckchurch@gmail.com> wrote:
>
> Hey all,
>
>
>
> I've got a small company I support occasionally that deploys
> Anyconnect VPN service on small ISR G2 models for customers. It seems that
> recently Chrome and it seems like Edge and IE are not allowing connections
> to TLS 1.0 or anything SSL. It appears that based on googling this is a
> known issue, that was resolved on ASA with a recent 9.x release. Anyone
> know a work-around for IOS 15.x? Once the users of the VPN login once to
> the portal page then can install the anyconnect client and never use the
> browser again. But that first time is an issue. The configs are good,
> works fine on older Firefox versions.

While CSCuv27265 ("ENH: Enable support for TLSv1.1 & TLSv1.2 for http
secure server/client") is fixed in 15.5(3)M4 (and 15.6(3)M of course),
CSCux73159 ("ENH: TLS1.2 Support for SSLVPN on IOS and IOS-XE") is
terminated (it's unclear why).

But maybe the former fix is enough to download the client? I suggest
you try the 15.6(3)M train or later.



lukas
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Anyconnect VPN on IOS that supports TLS 1.2 [ In reply to ]
hk at kapper
Aug 9, 2020, 5:04 AM
Post #3 of 3 (574 views)
Permalink
Chuck,
in case you're in for an "at least it works" solution in chrome:

chrome://flags/#legacy-tls-enforced
-> disable "Enforce deprecation of legacy TLS versions"

regards,
hk

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal