The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239977	CASA-VN-000610	SV-239977r666337_rule		Medium

Description
Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable. Use of a FIPS validated RNG that is not DRGB mitigates to a CAT III.

STIG	Date
Cisco ASA VPN Security Technical Implementation Guide	2023-09-14

Details

Check Text ( C-43210r666335_chk )
Review the ASA configuration to verify that FIPS mode has been enabled as shown in the example below. ASA Version x.x ! hostname ASA1 fips enable If the ASA is not configured to be enabled in FIPS mode, this is a finding.

Fix Text (F-43169r666336_fix)
Configure the ASA to have FIPS-mode enabled as shown in the example below. ASA1(config)# fips enable ASA1(config)# end Note: FIPS mode change will not take effect until the configuration is saved and the device rebooted.