Cisco ASA VPN PCI failure due to weak SSL encryption - part 2

agradmin used Ask the Experts™
We continue to fail a PCI scan on our Cisco ASA firewall due to cipher vulnerabilities as following (Note - all on UDP port 500,  TLS minimum set to TLS1.1);
- Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device.
- Weak Diffie-Hellman groups identified on VPN Device. Use Diffie-Hellman Key Exchange Group 5 or higher where possible, or the highest available to the VPN endpoints.

We use the Cisco Anyconnect client for connections, with all clients accessing AES256

After setting the firewall DH group level to 5 and Cipher security level to MEDIUM (no DES/3DES support) I am still seeing PCI failures due to DES/3DES and a DH group level of 2.
Can anyone explain this (and how to resolve)? Does the ASA require a reload to use the new settings?

Following is the cipher information from the firewall;
asa1234x# sh ssl cipher
Current cipher configuration:
default (custom): AES256-SHA:AES128-SHA
tlsv1 (medium):
tlsv1.1 (medium):
tlsv1.2 (medium):
dtlsv1 (medium):
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

Should go for TLS1.2 to get a good scoring which means only have SHA 2 suite instead of SHA


I agree  and am aware TLS 1.2 would be preferred but am concerned about the client side.
Christopher Jay WolffWiggle My Legs, Owner

Did you update all Cisco software?  Apparently Cisco had some problems a while back.  Described here below.  I don't pretend to know or understand all this, but thought it worth mentioning to see if you think it is relevant.

CVE-2014-3393: Security Appliance Turned Security Risk

A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.

The vulnerability is due to a improper implementation of authentication checks in the Clientless SSL VPN portal customization framework. An attacker could exploit this vulnerability by modifying some of the customization objects in the RAMFS cache file system. An exploit could allow the attacker to bypass Clientless SSL VPN authentication and modify the portal content.

From this link.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

btanExec Consultant
Distinguished Expert 2018

Only anyconnect 4.x support TLS 1.2 and ASA 9.3(2).
New Features in AnyConnect 4.0.00048

AnyConnect now supports TLS version 1.2 with the following additional cipher suites:

Note - AnyConnect TLS 1.2 requires a secure gateway that also supports TLS 1.2. This is available in release 9.3(2) of the ASA on 5500-X models.
Pete LongTechnical Consultant

If you are seeing these on ports 500 then thats ISAKMP my friend, this means you have an IKEv1 or IKEve Policy that using these settings - and that's typically (not always) for IPSEc VPN not AnyConnect.

Issue a 'show run crypto' press space bar  lot to page down, there at the bottom are you IKE policies, I bet one of them matches whatever the scan is moaning about.

run show run cry isa, and make sure you don't have any IKE/IPSEC tunnels up before you remove them.



Thanks Pete, once again you have hit the nail on the head. These are likely remnants of our legacy iPSec VPN's. We use Anyconnect exclusively at this point, how would you suggest we proceed?

Here's the result of the h run cry isa;
sh run cry isa
crypto isakmp nat-traversal 3600
Technical Consultant
oops I meant 'show cry isa' (tells you if you have any phase 1 VPN tunnels using ISAKMP)

Disabling Depends on your version (ASA Code)

If it newer than 8.4 (which is old!)


no crypto ikev1 enable outside
no crypto ikev2 enable outside

Should do the trick



Thanks Pete, version is 9.8 as following so we should be good to go;
Cisco Adaptive Security Appliance Software Version 9.8(2)24

Here's the result of the command; let me know if your thoughts still hold true.

 sh cry isa
There are no IKEv1 SAs

There are no IKEv2 SAs

Global IKEv1 Statistics
  Active Tunnels:              0
  Previous Tunnels:            0
  In Octets:             1913224
  In Packets:               3581
  In Drop Packets:          2326
  In Notifys:                  6
  In P2 Exchanges:             0
  In P2 Exchange Invalids:     0
  In P2 Exchange Rejects:      0
  In P2 Sa Delete Requests:    0
  Out Octets:             860524
  Out Packets:              4473
  Out Drop Packets:            0
  Out Notifys:              3237
  Out P2 Exchanges:            0
  Out P2 Exchange Invalids:    0
  Out P2 Exchange Rejects:     0
  Out P2 Sa Delete Requests:   0
  Initiator Tunnels:           0
  Initiator Fails:             0
  Responder Fails:          3567
  System Capacity Fails:       0
  Auth Fails:               1060
  Decrypt Fails:               0
  Hash Valid Fails:            0
  No Sa Fails:                 8

IKEV1 Call Admission Statistics
  Max In-Negotiation SAs:                150
  In-Negotiation SAs:                      0
  In-Negotiation SAs Highwater:           15
  In-Negotiation SAs Rejected:             0

Global IKEv2 Statistics
  Active Tunnels:                          0
  Previous Tunnels:                        0
  In Octets:                            1696
  In Packets:                              4
  In Drop Packets:                         4
  In Drop Fragments:                       0
  In Notifys:                              0
  In P2 Exchange:                          0
  In P2 Exchange Invalids:                 0
  In P2 Exchange Rejects:                  0
  In IPSEC Delete:                         0
  In IKE Delete:                           0
  Out Octets:                              0
  Out Packets:                             0
  Out Drop Packets:                        0
  Out Drop Fragments:                      0
  Out Notifys:                             0
  Out P2 Exchange:                         0
  Out P2 Exchange Invalids:                0
  Out P2 Exchange Rejects:                 0
  Out IPSEC Delete:                        0
  Out IKE Delete:                          0
  SAs Locally Initiated:                   0
  SAs Locally Initiated Failed:            0
  SAs Remotely Initiated:                  0
  SAs Remotely Initiated Failed:           0
  System Capacity Failures:                0
  Authentication Failures:                 0
  Decrypt Failures:                        0
  Hash Failures:                           0
  Invalid SPI:                             0
  In Configs:                              0
  Out Configs:                             0
  In Configs Rejects:                      0
  Out Configs Rejects:                     0
  Previous Tunnels:                        0
  Previous Tunnels Wraps:                  0
  In DPD Messages:                         0
  Out DPD Messages:                        0
  Out NAT Keepalives:                      0
  IKE Rekey Locally Initiated:             0
  IKE Rekey Remotely Initiated:            0
  CHILD Rekey Locally Initiated:           0
  CHILD Rekey Remotely Initiated:          0

IKEV2 Call Admission Statistics
  Max Active SAs:                   No Limit
  Max In-Negotiation SAs:               1500
  Cookie Challenge Threshold:          Never
  Active SAs:                              0
  In-Negotiation SAs:                      0
  Incoming Requests:                       0
  Incoming Requests Accepted:              0
  Incoming Requests Rejected:              0
  Outgoing Requests:                       0
  Outgoing Requests Accepted:              0
  Outgoing Requests Rejected:              0
  Rejected Requests:                       0
  Rejected Over Max SA limit:              0
  Rejected Low Resources:                  0
  Rejected Reboot In Progress:             0
  Cookie Challenges:                       0
  Cookie Challenges Passed:                0
  Cookie Challenges Failed:                0

Global IKEv1 IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
Pete LongTechnical Consultant

Heres your clue :)

There are no IKEv1 SAs
There are no IKEv2 SAs

Good to go!!


Thanks Pete, that's what I thought/hoped, I'll move ahead.
Pete LongTechnical Consultant

No bother!


Good news - Pete has come through yet again! I re-ran a scan after disabling IKE as suggested and it now comes back clean.

Thanks Pete!


Thanks to all for their expert input.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial