Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco AnyConnect Secure Mobility Client v2.x
  5. Troubleshooting Guide

Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide

Download
Page of 5
Solution
Based on the symptoms, the first conclusion would be that the client only supports DH group 2 when FIPS is
enabled and none of the others work. This is actually incorrect. If you enable this debug on the ASA, you can
see the proposals sent by the client:
debug crypto ikev2 proto 127
During a connection attempt, the first debug message is:
IKEv2−PROTO−2: Received Packet [From 192.168.30.5:51896/To 192.168.30.2:500/
VRF i0:f0]
Initiator SPI : 74572B8D1BEC5873 − Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2−PROTO−3: Next payload: SA, version:
2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 747
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 316
  last proposal: 0x2, reserved: 0x0, length: 140
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 15    last transform: 0x3,
  reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES−GCM
    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES−GCM
    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES−GCM
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA384
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: None
    last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
    last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
    last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
    last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
    last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP_256_PRIME/Group 24
    last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
  last proposal: 0x0, reserved: 0x0, length: 172
  Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 19    last transform: 0x3,
  reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES−CBC
    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES−CBC
    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES−CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA384
    last transform: 0x3, reserved: 0x0: length: 8