Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
500
Views
0
Helpful
6
Replies

Cisco Clientless SSL (WebVPN) broken after Chrome/ edge 124 update

TrietNguyen
Level 1
Level 1

‎04-26-2024 05:58 AM

Hey guys - Does anyone else have this issue in the title with ASA using the WebVPN ? TLS handshakes are failing after the Chrome 124 updates. After doing research it's due to hybridized kyber support. The current workaround for Chrome/ Edge is below for anyone else that has this issue but I've seen 0 posts on this regarding Cisco. Plenty of other vendors have this issue as well

chrome://flags/#enable-tls13-kyber set to disabled

Computer Configuration > Policies > Administrative Templates > Google > Google Chrome > Enable post-quantum key agreement for TLS > Disabled

Computer Configuration > Policies > Administrative Templates > Microsoft Edge> Enable post-quantum key agreement for TLS > Disabled

1 person had this problem
Labels:
0 Helpful
6 Replies 6

jason-gauruder
Level 1
Level 1

‎04-30-2024 02:38 PM

Similar here.  The chrome 124 with that hybridized kyber support enabled is affecting any connect with SAML, but only on our 5516 and not 5545 (same asa code version 9.12(4)62).   The web browser gives a ERR_SSL_PROTOCOL_ERROR

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-30-2024 08:17 PM

Another thread was discussing this issue and a fix was shared there. Reference: https://community.cisco.com/t5/vpn/cisco-anyconnect-browser-err-ssl-protocol-error/td-p/5035809

0 Helpful

jason-gauruder
Level 1
Level 1
In response to Marvin Rhoads

‎05-01-2024 07:15 AM

Appreciate that thread link Marvin.   We are using the reg key workaround for now mentioned in that thread.  The ASA version the author of the other thread mentioned working for their ASA running on FPR2130 (9.19.1.24 and 9.19.1.28) is not available for ASA model 5516 (up to version 9.14.4 available).   So we have implemented the reg key workaround for the time being.     

0 Helpful

TrietNguyen
Level 1
Level 1
In response to jason-gauruder

‎05-01-2024 07:50 AM - edited ‎05-01-2024 07:51 AM

Hey Jason,

i read through that issue as well and it looks similar but not the exact issue. I was running the latest interim 9.15 interim release too and I see you’re on 9.14. I believe the codebase is too old and isn’t supported , during a maintenance window I updates to the latest 9.16 interim and it resolved the issue without requiring a client side fix 

0 Helpful

jason-gauruder
Level 1
Level 1
In response to TrietNguyen

‎05-01-2024 11:26 AM

interesting...was that with a 5516 or similar like my situation ?    I think we may have a spare 5508 laying around maybe I can test 9.16 interim.  I see the latest release for 5516 is from April 1st 2024 : asa9-16-4-57-lfbff-k8.SPA  I read the interim release notes ( https://www.cisco.com/web/software/280775065/163160/ASA-9164-Interim-Release-Notes.html ) and don't see mention of the chrome 124 or kyber issue, but maybe just not mentioned specifically like that.

0 Helpful

TrietNguyen
Level 1
Level 1
In response to jason-gauruder

‎05-01-2024 11:41 AM

We're on a 5516x as well. The interim release was specifically for 2 zero day exploits that got patched, but yup , same experience as you where I dug for notes and anything related to post quantum encryption / kyber and no results. I actually moved branches since  9.15.1.21 hasn't been updated since 2022 so I moved to 9.16.4-57 . I see 9.14.4-24 came out April 25 so you at least have some updates there if you haven't tried it but it's worth a shot trying 9.16 . Should be a ppretty straight forward update. Curious on how you make out 

0 Helpful
Customers Also Viewed These Support Documents