Disable SSLv3 in AnyConnect on Cisco 2821
We are running anyconnect-win-3.1.06073-k9.pkg on a 2821 IOS router. Is there a way to disable SSLv3?
The release notes indicate CSCur27617 - AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux was resolved in AnyConnect 3.1.05187.
Thank you
Hi Rob ,
According to the bug:
All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability
On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
Hope it helps
- Randy -
Similar Messages
-
I have an ASA 5515X firewall running on software version 9.1(1). Does anyone know how to properly disable SSLv3 on this device? This is in regards to addressing the POODLE vulnerability. Thank you.
you can try using v9.3(2) and only allow TLS1.2. Look at this thread:
https://supportforums.cisco.com/discussion/12393656/asa-ssl-certificate-report-ssllabscom -
AnyConnect for Cisco VPN Phone demo license
I want to test VPN Phone in the ASA5520,but "show ver" find the "AnyConnect for Cisco VPN Phone : Disabled", www.cisco.com/go/license i didn't find register AnyConnect for Cisco VPN Phone demo license, how to apply for the demo license??
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.Hi there,
Did you try
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=717
Cheers!
Rob
"Why not help one another on the way" - Bob Marley -
I want to upgrade the IOS of my Cisco 2821 from Version 12.4(11) to v 15.1 (XB), but I have CCME v 4.2 (0), is there any problem if I only upgrade the IOS and leave the CCME as it ?
ThanksCME is part of the IOS, so you can't upgrade the IOS seperately from CME.
That said, if this is a production environment you should proceed with caution and be prepared to roll back as you may find bugs, etc.
You should also look at release notes and make sure your phone firmware will still work or needs to be upgraded too.
Brandon -
Need a tool for flash backup on Cisco 2821 series routers
Hello Folks,
We have around 1200-1500 cisco 2821 series routers on those we are performing the hardware upgrade so we are taking the backup of all the files available in the flash of all the routers, we just want to know is there any trusted tool available to make this task easy to schedule and take the backups.
Please let me know if you know any tool name.
Thanks,
Raja.Sorry, I don't know any tool that makes a backup of the whole flash...
You could fo it with from ios cli maybe execute it automatically...
To flash:
archive tar /create flash:/backup.tar flash:/
copying directly to ftp should also work:
archive tar /create ftp://test:[email protected]/backup.tar flash:/ -
How do I disable SSLv3 in Safari (OSX & iOS)
Hi All,
So following this morning's Google announcement on the SSLv3 vulnerability, I tried disabling it on the client side on my various systems and browser. On OSX, I managed to do it for Firefox and Chrome but not for Safari. On iOS I didn't manage at all.
Any clue on how it can be done?
FWIW:
- Disabling SSLv3 in Firefox:
Open about:config, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.
- Disabling SSLv3 in Chrome:
Launch Chrome using an AppleScript that contains the following
do shell script "open -a /Applications/Google\\ Chrome.app --args --ssl-version-min=tls1"
- Checking client-side vulnerability:
https://www.poodletest.com/
- Checking server-side vulnerability:
http://www.poodlebleed.com
Cheers,
AlexApple posted the following updates that include a fix for the SSLv3 "Poodle" issue:
Yosemite 10.10
Security Update 2014-005 Mavericks
Security Update 2014-005 Mountain Lion
as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)
All of them contain the following:
Secure Transport
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so. This will protect other apps, such as e-mail clients that are also normally able to use SSLv3. -
Hello everyone,
As part of January security updates, Azure has disabled SSLV3.0 support by default for Azure Cloud Services customers, effective 01/19/2015. For details, please check
Security Bulletin.
As a result, the sample code to invoke a web service will not work if SSL version 3.0 is specified. For example, R sample code has
# Accept SSL certificates issued by public Certificate Authorities
options(RCurlOptions = list(sslVersion=3L, cainfo = system.file("CurlSSL", "cacert.pem", package = "RCurl")))
You will hit errors as below
* Hostname was NOT found in DNS cache
* Trying 191.238.225.148...
* Connected to ussouthcentral.services.azureml.net (191.238.225.148) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: C:/Program Files/R/R-3.1.2/library/RCurl/CurlSSL/cacert.pem
CApath: none
* Unknown SSL protocol error in connection to ussouthcentral.services.azureml.net:443
* Closing connection 0
Error in function (type, msg, asError = TRUE) :
Unknown SSL protocol error in connection to ussouthcentral.services.azureml.net:443
The mitigation is
Upgrade R client's RCurl package to the latest version (in RStudio, this can be done using Tools -> Check for package updates)
In the sample code, remove sslVersion=3L.
AzureML team is aware of this issue and an update to the sample code is scheduled soon.
Thanks,
JingOr, if you want to be explicit, set sslVersion = 1, that also works,
Thanks,
Jing -
How to disable SSLv3 and RC4 on Lync Server Access Edge?
We use Lync Server 2013.
How to disable SSLv3 and RC4 on Lync Server Access Edge?
This solution https://technet.microsoft.com/en-us/library/security/3009008.aspx doesn't workHi dizen,
To completely disable RC4, you can create the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
For more details, please check out this KB.
http://support.microsoft.com/kb/2868725
Best regards,
Eric -
How to disable SSLv3 on SSL enabled NodeManager (wls12.1.1 with jRockit)
how to disable SSLv3 on SSL enabled NodeManager (wls12.1.1 with jRockit)
Hi,
Add the following Java option in the StartNodemanger.sh file
Steps to disable SSLv3 protocol on Weblogic:
1. The weblogic.security.SSL.protocolVersion command-line argument lets you specify which protocol is used for SSL connections.
2. After enabling/configuring the SSL for weblogic server, append the following option to the JAVA_OPTIONS variable
-Dweblogic.security.SSL.protocolVersion=TLS1
NOTE: If you don’t specify the above property, by default it takes SSLv3.
Check the below Links for more information
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1046921.aspx
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#SECMG494
CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE
Additional Info
Poodle Vulnerability CVE-2014-3566
CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE
Hope it helps -
How many Voice connections can cisco 2821 support?
Good day.
I have a cisco 2821 with EVM slot, NME-X slot and two HWIC slots. I have 4 port FXOs on the two HWIC slots. The EM-HDA-8FXS module on the EVM slot can handle 8 FXS connections. Please i would like to know if there is an EVM module that can do FXO connections and also how many voice connections can this router handle in total. Can the EM-HDA-8FXS module handle both FXS and FXO connections?
Hope someone can help me out. My deadline has already passed.
Regards,
Obinna.Hi, already replied to this in the appropriate forum.
Please do not open duplicate threads. -
Hi everyone,
I am currently going to upgrade the Cisco 2821 IOS to version 15. Do I need to apply any licences for advice ip service after the upgrade. thanks for the help in advance.
Kind Regards,
LeiISR G1 doesn't have any "licenses". Just make sure you are upgrading to the same Feature Set as your old IOS.
Read the Release Notes carefully. Make sure you have adequate DRAM and Flash. -
Hello,
a question or more a problem with netflow exports on Cisco 2821's.
I configured netflow export on a Cisco 2821 with IOS Version 12.4(24)T
ip cef
interface FastEthernet0/0/0
description to XXX
ip address XXX
ip flow ingress
ip flow egress
duplex full
speed 10
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination XXX XXX
The netflow collector shows "only ingoing traffic" on interface FastEthernet0/0/0 and
"only outgoing traffic" on interface GigabitEthernet0/0.
Same problem with an IOS Version 12.4(20)T1 on other Cisco 2821's.
But same configuration on other Cisco 2821's with IOS Version 12.4(11)XJ4 work well.
Any references/suggestions or explanations?#It's surprising to me that it's even possible to configure both directions on a single interface.
#It's generally not a good idea to configure both directions among interfaces on a single router.
--> It is possible. ;-) I need QoS (DSCP information) for ingoing traffic and
--> and for outgoing traffic of this interface FastEthernet0/0/0.
#How's g0/0 configured "ip flow" wise?
--> There's no netfow configuration on this interface, only on Fa0/0/0.
-->#sh ip flow interface
--> FastEthernet0/0/0
--> ip flow ingress
--> ip flow egress
#Maybe you're seeing "only outgoing traffic" on
#interface GigabitEthernet0/0, because those are incoming traffic through fa0/0/0
#(where IOS ignores the "ip flow egress" part) and flowing out through g0/0?
--> You're right. The outgoing traffic at Gi0/0 is the ingoing traffic at Fa0/0/0.
--> But I don't think thath the configuration is wrong and I think that the
--> "ip flow egress" command on an single interface is not so special.
--> I really looks like that the command "ip flow egress" on interface Fa0/0/0
--> is being ignored. But why?
--> May be I should start an other discussion with a link to this posting in the
--> router forum. -
Disabling SSLV3 and weak ciphers - Server 2008 R2
Hi,
I have disabled SSLV3 in the registry setting using following technet article. Rebooted the servers but when i run a scan through
https://www.poodlescan.com/. it says This server supports the SSL v3 protocol.
I have tested it through other scanners also
https://technet.microsoft.com/en-us/library/security/3009008.aspx
What cipher suites disable the SSLV3 completely from window server 2008 R2 and IIS 7.5.
Is there any patch or script that could help completely secure the server.In HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server make a new DWORD value
"Enabled" and put it to 0 (zero)
You need a reboot to apply the setting.
note that if you are hosting IIS behind a loadbalancing solution, the loadbalancer often does ssl offloading. In that
case you need to reconfigure the loadbalancer.
MCP/MCSA/MCTS/MCITP -
Hi!
I need to disable SSLv3 on my switches 3650 so my customer can access the wireless gui through https (with firefox/chrome).
Concern this, my customer really doesn't need to use https; but since I added the 3650 switches to Prime Infrastructure, it enables HTTPS and disable HTTP on every single switch.
So my issue can be solved by:
Disabling SSLv3 or Disabling the feature in Prime Inf. that enables https on every switch after syncing.
For all your attention and future help, thank you so much.
Best Regards!Hi!
I need to disable SSLv3 on my switches 3650 so my customer can access the wireless gui through https (with firefox/chrome).
Concern this, my customer really doesn't need to use https; but since I added the 3650 switches to Prime Infrastructure, it enables HTTPS and disable HTTP on every single switch.
So my issue can be solved by:
Disabling SSLv3 or Disabling the feature in Prime Inf. that enables https on every switch after syncing.
For all your attention and future help, thank you so much.
Best Regards! -
Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)
Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
Now, OWA works fine, and users are able to connect via the Web.
Internally, users are also able to connect with Outlook 2010/2013.
however, users are not able to connect via Outlook from outside (Outlook anywhere)
In the event viewer you get an error:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
Anybody has seen this issue as well?Hi Max
could you provide the steps to turn off SSLv3 . Is it from the registry
http://support.microsoft.com/kb/187498 ?
Mat A
Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.
Maybe you are looking for
-
What is the motherboard part number for DV3-2232TX (VZ462PA)?
My DV3-2232TX is not booting - and only flashing the Scroll and Caps Lock lights 4 times in a cycle. From searching, this means the graphics card is broken, but it also seems it's built into the motherboard on this model. It's out of warranty so I w
-
How to upload claim and balance as on date at the time of go live
Experts, Where i have to update the claimed value and the balance eligibility at the time go live I have seen one report while searching thorough the Forum i found this PC00_M40_UPCF, i tried to upload claimed value as well the carry forward amount
-
Sync contacts from macbook pro to ipad
lost my contacts, how to transfer from macbook pro to ipad
-
Extend the material in all plants
hi experts, can u explain, how to extend the material number in all plants at a time..
-
Partner link from Salespro role to custom UTIL IC role
Hi Experts, There is a requirement of adding a Partner workcenter in our custom util IC role. Idea is that user could search other BPs and view details in custom UTIL IC role. I tried adding workcenters with logical link id as MD-BP-SR, UTL-MD-SR, S