Home
Cisco AnyConnect VPN client v4.9 will not connect
Cisco (AnyConnect) Tuesday, 06 April 2021 by paul

After upgrading AnyConnect client to v4.9 it will not connect to VPN server. The error displayed is “The cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect. Please contact your network administrator”.

The release notes for v4.9 (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html) show that support for specific cipher suites have been depreciated:

For SSL VPN, AnyConnect no longer supports the following cipher suites from both TLS and DTLS: DHE-RSA-AES256-SHA and DES-CBC3-SHA

For IKEv2/IPsec, AnyConnect no longer supports the following algorithms:

  • Encryption algorithms: DES and 3DES
  • Pseudo Random Function (PRF) algorithm: MD5
  • Integrity algorithm: MD5
  • Diffie-Hellman (DH) groups: 2, 5, 14, 24
  • For a list of supported cryptographic algorithms and cipher suites, refer to the AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.9 feature guide.

Modifying the VPN config to remove the depreciated cipher suites does not resolve the issue.

Running the commands below allows you to debug the connection:

debug crypto ikev2 platform 255

debug crypto ikev2 protocol 255

Looking through the output when testing the connection includes the errors below:

IKEv2-PLAT-2: Failed to create an IKEv2 Proposal because an AnyConnect Premium license is required to support an IKEv2 remote access connection using NSA Suite B algorithms
IKEv2-PLAT-2: unable to build ikev2 policy

Searching for the reason for this error returns the Cisco Bug: https://quickview.cloudapps.cisco.com/quickview/bug/CSCur95551

The v4.9 now only supports Suite-B algorithms which requires an AnyConnect Premium license (replaced by Plus or Apex licenses) and the ASA was configured to use an AnyConnect Essentials license.

Disabling the AnyConnect Essentials license fixed the issue.


Add Comment
No Comments.