Re: Cisco anyconnect browser ERR_SSL_Protocol_ERROR

kirillsanin48 · ‎03-07-2024

Good day to everyone.
I have two Cisco ASA running on FPR2130 assembled into a balancing group, for example:
vpn-gw1.example.com
vpn-gw2.example.com
general address vpn.example.com.
Firmware version 9.18.3.56
Anyconnect 4.10.07062

At the moment, all our employees work through profiles with two-factor authentication using SAML. With two-factor authentication, after entering the code from TOTP generator, some users catch the error ERR_SSL_PROTOCOL_ERROR.
While the error is not permanent and may appear to the user a couple of times a week, and then not appear. Some users catch the error stably between 8 a.m. and 10 a.m., after they connect normally, the error may appear on one Gateway and not appear when trying to connect to the second Gateway.

The problem is of a floating nature, one of the most popular solutions is cleaning cookies and cache in the default browser, sometimes deleting the cisco anyconnect profile helps, sometimes cleaning the SSL cache in the browser properties in the control panel

The number of active users in the middle of the day is approximately 1,500 people per device. Most of them do not face the problem, but it is frightening that the problem can manifest itself in anyone at any moment

There is an understanding that the problem is still in the workstations, but maybe someone has encountered and has a universal solution

I will be glad of any help

netadminquid · ‎04-19-2024

Hello,

We have the same behavior with different hardware and software version.

Our environment consist of:
3 indipendent ASA 5508-X
Firmware version 9.14.4.23
Anyconnect 4.10.07073

The error appeared suddenly on few users at the moment, without we did any change on appliances.

Even updating Anyconnect to version 4.10.08029 on the affected clients the problem remains.

In our case the working solution is deleting the cisco anyconnect profile.

Regards

agionetworks · ‎04-25-2024

Looks we facing the same issues randomly do we have any fix for this ?

danielecappelletti · ‎04-29-2024

We have this problem too.

Only solutin for now is the one suggested from you:

deleting the cisco anyconnect profile and cleaning the SSL cache.

Anyone with a fix for this?

ElevateLSE · ‎04-29-2024

Having the same issue, really annoying. The problem seems to come back for some user that has had their profile deleted last week.

mv4820 · ‎04-29-2024

We had the same issue and could narrow it down: It's because of a new Chromium feature TLS 1.3 hybridized Kyber support starting from Version 124, which breaks TLSv1.2 Handshake. In our case, we also had the problem, that we cannot connect with a Browser to our Cisco ASA outside address with the Error ERR_SSL_PROTOCOL error with Chrome and Edge (nevertheless it works with Firefox, Safari, etc. which are not using Chromium).

You can change back this behavior with the Chrome / Edge flag

chrome://flags/#enable-tls13-kyber
respectivley
edge://flags/#enable-tls13-kyber
Set this to disabled. After this the connection with the browser works again.

However, this doesn't solve the problem with Anyconnect connection because Anyconnect uses Webview2 Runtime, which doesn't use the flag set prior. To workaround this problem you have to create the following DWORD registry value: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility Client\UseLegacyEmbeddedBrowser with value 1. This tells Anyconnect to use the Legacy Browser (IE) instead of Edge and the connection works again.

Hope this solves your problems too.

I will file a Cisco Ticket concerning this problem.

danielecappelletti · ‎04-29-2024

Thank you so much, it would be very helpful if you could share the reply to the Cisco ticket when possible. In the meantime we'll try the workaround. Thanks again

phipse_508122 · ‎04-29-2024

This worked for me, thanks.

However, not everyone in my company is technical or has the admin rights to change this.

dj10 · ‎04-29-2024

Worked for me ASA 9.14 Cisco AnyConnect 4.8

Thank you!

frojas68 · ‎04-29-2024

Any update on this issue? My administrator blocks IE so the registry change will not work.

frojas68 · ‎04-30-2024

I'm running Cisco Secure Client with AnyConnect VPN 5.1.1.42 so the location of the folder in the registry on Windows 11 is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco Secure Client. It is working now. Ref: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/release/notes/release-notes-cisco-secure-client-5-1.html

muhammad-izzat · ‎04-30-2024

Works for me on 9.8.4(20).

What I do is I created a script to enable the registry mentioned above so everyone can just click the script to create the registry.

daniel.b@wmc-us.com · ‎04-30-2024

Hello Muhammad,

Could you share the MS script to enable the registry? thank you in advanced.

frojas68 · ‎05-01-2024

Hi Daniel,

See if this works for you.

Launch Powershell as Administrator

AnyConnect with VPN 4.x
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility" /v UseLegacyEmbeddedBrowser /t REG_DWORD /d 1 /f

Cisco Secure Client with VPN 5.x
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco Secure Client" /v UseLegacyEmbeddedBrowser /t REG_DWORD /d 1 /f

muhammad-izzat · ‎05-01-2024

Hi Daniel,

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility Client]
"UseLegacyEmbeddedBrowser"=dword:00000001

Blast an email to all department and it works like magic.