Disable SSLv3 in AnyConnect on Cisco 2821

Similar Messages

• Disabling SSLv3 on Cisco

  I have an ASA 5515X firewall running on software version 9.1(1). Does anyone know how to properly disable SSLv3 on this device? This is in regards to addressing the POODLE vulnerability. Thank you.

  you can try using v9.3(2) and only allow TLS1.2. Look at this thread:
  https://supportforums.cisco.com/discussion/12393656/asa-ssl-certificate-report-ssllabscom

• AnyConnect for Cisco VPN Phone demo license

  I want to test VPN Phone in the ASA5520,but "show ver" find the "AnyConnect for Cisco VPN Phone : Disabled", www.cisco.com/go/license i didn't find register AnyConnect for Cisco VPN Phone demo license, how to apply for the demo license??
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  This platform has an ASA 5520 VPN Plus license.

  Hi there,
  Did you try
  https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=717
  Cheers!
  Rob
  "Why not help one another on the way" - Bob Marley

• I want to upgrade the IOS of my Cisco 2821 from Version 12.4(11) to v 15.1 (XB), but I have CCME v 4.2 (0), is there any problem if I only upgrade the IOS and leave the CCME as it ?

  I want to upgrade the IOS of my Cisco 2821 from  Version 12.4(11) to v 15.1 (XB), but I have CCME v 4.2 (0), is there any problem if I only upgrade the IOS and leave the CCME as it ?
  Thanks

  CME is part of the IOS, so you can't upgrade the IOS seperately from CME.
  That said, if this is a production environment you should proceed with caution and be prepared to roll back as you may find bugs, etc.
  You should also look at release notes and make sure your phone firmware will still work or needs to be upgraded too.
  Brandon

• Need a tool for flash backup on Cisco 2821 series routers

  Hello Folks,
  We have around 1200-1500 cisco 2821 series routers on those we are performing the hardware upgrade so we are taking the backup of all the files available in the flash of all the routers, we just want to know is there any trusted tool available to make this task easy to schedule and take the backups.
  Please let me know if you know any tool name.
  Thanks,
  Raja.

  Sorry, I don't know any tool that makes a backup of the whole flash...
  You could fo it with from ios cli maybe execute it automatically...
  To flash:
  archive tar /create flash:/backup.tar flash:/
  copying directly to ftp should also work:
  archive tar /create ftp://test:[email protected]/backup.tar flash:/

• How do I disable SSLv3 in Safari (OSX & iOS)

  Hi All,
  So following this morning's Google announcement on the SSLv3 vulnerability, I tried disabling it on the client side on my various systems and browser. On OSX, I managed to do it for Firefox and Chrome but not for Safari. On iOS I didn't manage at all.
  Any clue on how it can be done?
  FWIW:
  - Disabling SSLv3 in Firefox:
    Open about:config, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.
  - Disabling SSLv3 in Chrome:
    Launch Chrome using an AppleScript that contains the following
    do shell script "open -a /Applications/Google\\ Chrome.app --args --ssl-version-min=tls1"
  - Checking client-side vulnerability:
     https://www.poodletest.com/
  - Checking server-side vulnerability:
     http://www.poodlebleed.com
  Cheers,
  Alex

  Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:
  Yosemite 10.10
  Security Update 2014-005 Mavericks
  Security Update 2014-005 Mountain Lion
  as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)
  All of them contain the following:
  Secure Transport
  Impact:  An attacker may be able to decrypt data protected by SSL
  Description:  There are known attacks on the confidentiality of SSL
  3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
  could force the use of SSL 3.0, even when the server would support a
  better TLS version, by blocking TLS 1.0 and higher connection
  attempts. This issue was addressed by disabling CBC cipher suites
  when TLS connection attempts fail.
  CVE-ID
  CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
  Google Security Team
  It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so.  This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

• Remove "sslVersion=3L," from Sample R Code Invoking a Web Service, as a Result of Azure Disabling SSLV3 Support

  Hello everyone,
  As part of January security updates, Azure has disabled SSLV3.0 support by default for Azure Cloud Services customers, effective 01/19/2015. For details, please check
  Security Bulletin.
  As a result, the sample code to invoke a web service will not work if SSL version 3.0 is specified. For example, R sample code has
  # Accept SSL certificates issued by public Certificate Authorities
  options(RCurlOptions = list(sslVersion=3L, cainfo = system.file("CurlSSL", "cacert.pem", package = "RCurl")))
  You will hit errors as below
  * Hostname was NOT found in DNS cache
  *   Trying 191.238.225.148...
  * Connected to ussouthcentral.services.azureml.net (191.238.225.148) port 443 (#0)
  * successfully set certificate verify locations:
  *   CAfile: C:/Program Files/R/R-3.1.2/library/RCurl/CurlSSL/cacert.pem
    CApath: none
  * Unknown SSL protocol error in connection to ussouthcentral.services.azureml.net:443
  * Closing connection 0
  Error in function (type, msg, asError = TRUE)  :
    Unknown SSL protocol error in connection to ussouthcentral.services.azureml.net:443
  The mitigation is
  Upgrade R client's RCurl package to the latest version (in RStudio, this can be done using Tools -> Check for package updates)
  In the sample code, remove sslVersion=3L.
  AzureML team is aware of this issue and an update to the sample code is scheduled soon.
  Thanks,
  Jing

  Or, if you want to be explicit, set sslVersion = 1, that also works,
  Thanks,
  Jing

• How to disable SSLv3 and RC4 on Lync Server Access Edge?

  We use Lync Server 2013.
  How to disable SSLv3 and RC4 on Lync Server Access Edge?
  This solution https://technet.microsoft.com/en-us/library/security/3009008.aspx doesn't work

  Hi dizen,
  To completely disable RC4, you can create the following registry key:
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  "Enabled"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  "Enabled"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  "Enabled"=dword:00000000
  For more details, please check out this KB.
  http://support.microsoft.com/kb/2868725
  Best regards,
  Eric

• How to disable SSLv3 on SSL enabled NodeManager (wls12.1.1 with jRockit)

  how to disable SSLv3 on SSL enabled NodeManager (wls12.1.1 with jRockit)

  Hi,
  Add the following Java option in the StartNodemanger.sh file
  Steps to disable SSLv3 protocol on Weblogic:
  1.  The weblogic.security.SSL.protocolVersion command-line argument lets you specify which protocol is used for SSL connections.
  2.  After enabling/configuring the SSL for weblogic server, append the following option to the JAVA_OPTIONS variable
          -Dweblogic.security.SSL.protocolVersion=TLS1
       NOTE: If you don’t specify the above property, by default it takes SSLv3.
  Check the below Links for more information
  http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1046921.aspx
  http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#SECMG494
  CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE
  Additional Info
  Poodle Vulnerability CVE-2014-3566
  CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE
  Hope it helps

• How many Voice connections can cisco 2821 support?

  Good day.
  I have a cisco 2821 with EVM slot, NME-X slot and two HWIC slots. I have 4 port FXOs on the two HWIC slots. The EM-HDA-8FXS module on the EVM slot can handle 8 FXS connections. Please i would like to know if there is an EVM module that can do FXO connections and also how many voice connections can this router handle in total. Can the EM-HDA-8FXS module handle both FXS and FXO connections?
  Hope someone can help me out. My deadline has already passed.
  Regards,
  Obinna.

  Hi, already replied to this in the appropriate forum.
  Please do not open duplicate threads.

• Upgrade Cisco 2821 to IOS 15

  Hi everyone,
  I am currently going to upgrade the Cisco 2821 IOS to version 15. Do I need to apply any licences for advice ip service after the upgrade. thanks for the help in advance.
  Kind Regards,
  Lei

  ISR G1 doesn't have any "licenses".  Just make sure you are upgrading to the same Feature Set as your old IOS.  
  Read the Release Notes carefully.  Make sure you have adequate DRAM and Flash.

• Netflow export on Cisco 2821

  Hello,
  a question or more a problem with netflow exports on Cisco 2821's.
  I configured netflow export on a Cisco 2821 with IOS Version 12.4(24)T
  ip cef
  interface FastEthernet0/0/0
  description to XXX
  ip address XXX
  ip flow ingress
  ip flow egress
  duplex full
  speed 10
  ip flow-cache timeout active 1
  ip flow-export source GigabitEthernet0/0
  ip flow-export version 5
  ip flow-export destination XXX XXX
  The netflow collector shows "only ingoing traffic" on interface FastEthernet0/0/0 and
  "only outgoing traffic" on interface GigabitEthernet0/0.
  Same problem with an IOS Version 12.4(20)T1 on other Cisco 2821's.
  But same configuration on other Cisco 2821's with IOS Version 12.4(11)XJ4 work well.
  Any references/suggestions or explanations?

  #It's surprising to me that it's even possible to configure both directions on a single interface.
  #It's generally not a good idea to configure both directions among interfaces on a single router.
  --> It is possible. ;-) I need QoS (DSCP information) for ingoing traffic and
  --> and for outgoing traffic of this interface FastEthernet0/0/0.
  #How's g0/0 configured "ip flow" wise?
  --> There's no netfow configuration on this interface, only on Fa0/0/0.
  -->#sh ip flow interface
  --> FastEthernet0/0/0
  -->  ip flow ingress
  -->  ip flow egress
  #Maybe you're seeing "only outgoing traffic" on
  #interface GigabitEthernet0/0, because those are incoming traffic through fa0/0/0
  #(where IOS ignores the "ip flow egress" part) and flowing out through g0/0?
  --> You're right. The outgoing traffic at Gi0/0 is the ingoing traffic at Fa0/0/0.
  --> But I don't think thath the configuration is wrong and I think that the
  --> "ip flow egress" command on an single interface is not so special.
  --> I really looks like that the command "ip flow egress" on interface Fa0/0/0
  --> is being ignored. But why?
  --> May be I should start an other discussion with a link to this posting in the
  --> router forum.

• Disabling SSLV3 and weak ciphers - Server 2008 R2

  Hi,
  I have disabled SSLV3 in the registry setting using following technet article. Rebooted the servers but when i run a scan through 
  https://www.poodlescan.com/. it says This server supports the SSL v3 protocol.
  I have tested it through other scanners also
  https://technet.microsoft.com/en-us/library/security/3009008.aspx
  What cipher suites disable the SSLV3 completely from window server 2008 R2 and IIS 7.5.
  Is there any patch or script that could help completely secure the server.

  In HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server make a new DWORD value
  "Enabled" and put it to 0  (zero)
  You need a reboot to apply the setting.
  note that if you are hosting IIS behind a loadbalancing solution, the loadbalancer often does ssl offloading. In that
  case you need to reconfigure the loadbalancer.
  MCP/MCSA/MCTS/MCITP

• Disable SSLv3 on Switch 3650

  Hi!
  I need to disable SSLv3 on my switches 3650 so my customer can access the wireless gui through https (with firefox/chrome).
  Concern this, my customer really doesn't need to use https; but since I added the 3650 switches to Prime Infrastructure, it enables HTTPS and disable HTTP on every single switch.
  So my issue can be solved by:
  Disabling SSLv3 or Disabling the feature in Prime Inf. that enables https on every switch after syncing.
  For all your attention and future help, thank you so much.
  Best Regards!

  Hi!
  I need to disable SSLv3 on my switches 3650 so my customer can access the wireless gui through https (with firefox/chrome).
  Concern this, my customer really doesn't need to use https; but since I added the 3650 switches to Prime Infrastructure, it enables HTTPS and disable HTTP on every single switch.
  So my issue can be solved by:
  Disabling SSLv3 or Disabling the feature in Prime Inf. that enables https on every switch after syncing.
  For all your attention and future help, thank you so much.
  Best Regards!

• Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)

  Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
  We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
  Now, OWA works fine, and users are able to connect via the Web.
  Internally, users are also able to connect with Outlook 2010/2013.
  however, users are not able to connect via Outlook from outside (Outlook anywhere)
  In the event viewer you get an error:
  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
  I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
  Anybody has seen this issue as well?

  Hi Max
  could you provide the steps to turn off SSLv3 . Is it from the registry
  http://support.microsoft.com/kb/187498 ?
  Mat A
  Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  "Enabled"=dword:00000000
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.