Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide
The connection fails because of a combination of factors:
With FIPS enabled, the client only sends specific policies and those must match. Among those
policies, it only proposes Advanced Encryption Standard (AES) encryption with a key size greater
than or equal to 256.
policies, it only proposes Advanced Encryption Standard (AES) encryption with a key size greater
than or equal to 256.
1.
The ASA is configured with multiple IKEv2 policies, two of which have group 2 enabled. As
described earlier, in this scenario that policy which has group 2 enabled is used for the connection.
However, the encryption algorithm on both of those policies uses a key size of 192, which is too low
for a FIPS−enabled client.
described earlier, in this scenario that policy which has group 2 enabled is used for the connection.
However, the encryption algorithm on both of those policies uses a key size of 192, which is too low
for a FIPS−enabled client.
2.
Therefore, in this case, the ASA and the client behave as per the configuration. There are three ways to
workaround this problem for FIPS−enabled clients:
workaround this problem for FIPS−enabled clients:
Configure only one policy with the exact proposals desired.
1.
If multiple proposals are required, do not configure one with group 2; otherwise that one will always
be selected.
be selected.
2.
If group 2 must be enabled, then ensure that it has the right encryption algorithm configured
(Aes−256 or aes−gcm−256).
(Aes−256 or aes−gcm−256).
3.
Updated: Nov 07, 2014
Document ID: 118427