The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239977	CASA-VN-000610	SV-239977r666337_rule		Medium

Description
Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable. Use of a FIPS validated RNG that is not DRGB mitigates to a CAT III.

STIG	Date
Cisco ASA VPN Security Technical Implementation Guide	2021-08-16

Details

Check Text ( C-43210r666335_chk )
Review the ASA configuration to verify that FIPS mode has been enabled as shown in the example below. ASA Version x.x ! hostname ASA1 fips enable If the ASA is not configured to be enabled in FIPS mode, this is a finding.

Fix Text (F-43169r666336_fix)
Configure the ASA to have FIPS-mode enabled as shown in the example below. ASA1(config)# fips enable ASA1(config)# end Note: FIPS mode change will not take effect until the configuration is saved and the device rebooted.