Troubleshooting SSL Negotiations
If you have a user who is unable to connect to the Cisco ASA using SSL, follow these steps to isolate the SSL negotiation issues:
Step 1. Verify that the user’s computer can ping the Cisco ASA’s outside IP address.
Step 2. If the user’s workstation can ping the address, issue the show running all | include ssl command on the Cisco ASA and verify that SSL encryption is configured.
Step 3. If SSL encryption is properly configured, use an external sniffer to verify whether the TCP three-way handshake is successful.
Note
AnyConnect clients will fail to establish connection if the Cisco ASAs are configured to accept connection with SSL Server Version 3. You must use TLSv1 for AnyConnect clients. Navigate to Configuration > Remote Access VPN > Advanced > SSL Settings to specify the SSL encryption type and version that you want to use.