Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide
Note: After the first entry in the list (group 1 or 2), the groups are listed in order of strongest to weakest. This
puts the elliptic curve groups first (21, 20, 19), followed by the Modular Exponential (MODP) groups (24, 14,
5, 2).
puts the elliptic curve groups first (21, 20, 19), followed by the Modular Exponential (MODP) groups (24, 14,
5, 2).
Tip: If the gateway is configured with multiple DH groups in the same policy and group 1 (or 2 in FIPS mode)
is included, then the ASA accepts the weaker group. The fix is to only include DH group 1 alone in a policy
configured on the gateway. When multiple groups are configured in one policy, but group 1 is not included,
then the strongest is selected. For example:
is included, then the ASA accepts the weaker group. The fix is to only include DH group 1 alone in a policy
configured on the gateway. When multiple groups are configured in one policy, but group 1 is not included,
then the strongest is selected. For example:
− On ASA Version 9.0 (suite B) with IKEv2 policy set to 1 2 5 14 24 19 20 21, group 1 is selected as
expected.
expected.
− On ASA Version 9.0 (suite B) with IKEv2 policy set to 2 5 14 24 19 20 21, group 21 is selected as
expected.
expected.
− With the client in FIPS mode on ASA Version 9.0 (suite B) with IKEv2 policy set to 1 2 5 14 24 19 20 21,
group 2 is selected as expected.
group 2 is selected as expected.
− With the tested client in FIPS mode on ASA Version 9.0 (suite B) with IKEv2 policy set to 5 14 24 19 20
21, group 21 is selected as expected.
21, group 21 is selected as expected.
− On ASA Version 8.4.4 (non−suite B) with IKEv2 policy set to 1 2 5 14, group 1 is selected as expected.
− On ASA Version 8.4.4 (non−suite B) with IKEv2 policy set to 2 5 14, group 14 is selected as expected.
Problem
The ASA is configured with these IKEv2 policies:
crypto ikev2 policy 1
encryption aes−gcm−256
integrity null
group 20
prf sha384 sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes−192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
In this configuration, policy 1 is clearly configured in order to support all FIPS−enabled cryptographic
algorithms. However, when a user tries to connect from a FIPS−enabled client, the connection fails with the
error message:
algorithms. However, when a user tries to connect from a FIPS−enabled client, the connection fails with the
error message:
The cryptographic algorithms required by the secure gateway do not match those
supported by AnyConnect. Please contact your network administrator.
However, if the admin changes policy1 so that it uses DH group 2 instead of 20, the connection works.