Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnect 3.1 FIPS mode - verify from ASA cmdline

Hi all-

I'm deploying FIPS mode on AnyConnect 3.1 clients

(ASA version 8.3 and 8.2, and AC 3.1, AnyConnect Essentials, and FIPS licenses on the ASAs)

How can I determine from the ASDM or better yet, the command line

whether a client is running in FIPs mode?

I'm getting ready to deploy the AnyConnectLocalPolicy.xml file via KACE,

and so far, when my test laptops reboot, the next AnyConnect VPN session is then running with FIPS Mode: Enabled

I can verify that from the client by looking at the AnyConnect VPN Statistics dialog.

But I can't reach that dialog on laptops in the field, that I know of (short of VNC or something intrusive like that)

So I'd like to have a 'show vpn-sessiondb svc' type command that will show me

which clients are successfully in FIPS mode, and which ones are not in FIPs.

Thanks in advance...

2 REPLIES
Hall of Fame Super Silver

AnyConnect 3.1 FIPS mode - verify from ASA cmdline

I don't know of any ASA show command to check it but if  you have KACE, can that pull the relevant registry key value from the clients?

As described here, a value of 1 would be expected for HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy on Wndows Vista or later.

New Member

AnyConnect 3.1 FIPS mode - verify from ASA cmdline

That's one thing I'd thought of, and will do.

I was hoping to find something in the ASA, since that would not only prove that FIPS was enabled, but that it was also working correctly.

303
Views
0
Helpful
2
Replies