At my work, we use Cisco ASA hardware using Cisco AnyConnect version 4.10 with SAML MS Azure MFA Authentication. Yesterday (Monday) majority of remote users with Cisco AnyConnect authenticated normally (username and password) and then successful MS Azure MFA; but then get the window screen "The connection for this site is not secure. vpn.company.com (fake company name for security purposes) sent an invalid response. ERR_SSL_PROTOCOL_ERROR.
See below:
We contacted Cisco TAC and they are aware of the issue as it was happening since last week. The work around Cisco suggested was upgrading our Cisco AnyConnect to version 5 (5.1.3.62). So we did and few users was able to connect successfully but majority are still having the same issue. Does anyone experience the same issue as I am at work? If so, what was your work around and/or permanent solution to the issue? Does anyone actually know what the root cause of this? Thanks everyone.
*Edit*
Saw this fix for the issue, give it a try. However, the “fix” is client side which mean having to touch each device with the issue until Cisco changes something on AnyConnect side:
We had the same issue and could narrow it down: It’s because of a new Chromium feature TLS 1.3 hybridized Kyber support starting from Version 124, which breaks TLSv1.2 Handshake. In our case, we also had the problem, that we cannot connect with a Browser to our Cisco ASA outside address with the Error ERR_SSL_PROTOCOL error with Chrome and Edge (nevertheless it works with Firefox, Safari, etc. which are not using Chromium).
You can change back this behavior with the Chrome / Edge flag
chrome://flags/#enable-tls13-kyber
respectivley
edge://flags/#enable-tls13-kyber
Set this to disabled. After this the connection with the browser works again.
However, this doesn’t solve the problem with Anyconnect connection because Anyconnect uses Webview2 Runtime, which doesn’t use the flag set prior. To workaround this problem you have to create the following DWORD registry value: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility Client\UseLegacyEmbeddedBrowser with value 1. This tells Anyconnect to use the Legacy Browser (IE) instead of Edge and the connection works again.
I upgraded my ASAs to 9.16 and seems to have fixed the issue. My ASA on 9.8.4 was exhibiting this issue and grew to the point where pretty much no users could connect.
Since you upgrade to Version 5:
"I’m running Cisco Secure Client with AnyConnect VPN 5.1.1.42 so the location of the folder in the registry on Windows 11 is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco Secure Client. "
Your suggested fix definitely works! We tried it on several user laptops with major success. Big thank you for this. Putting my techie hat on, I am very curious as to how you found the issue and figured out this work around? Always wanting to learn 
While this is great , We have about a hundred computers . I wonder if Cisco will come up with an update soon . Thank you so much for the fix for now .
I found it through googling, but the error plus where it occurs help narrow it down. Happens with Chrome and Edge, both Chromium based, but not Firefox. And with Anyconnect SAML using Edge browser (though 4.10.03104 and up you can set an external browser, but its not default)
In the end I think it was just a community effort in finding the cause, unless you work with AnyConnect and the TLS side of the browser daily can be a head scratcher for sure.
We are running Anyconnect 4.10.08029 but still have TLS 1.2 checked in our internet options so have not encountered the issue
Yea hopefully they push a fix soon, but if you use Itune or SCCM you can push the registry change out to a large amount of devices via remediations. You can even use a Powershell script
Cisco just reached out and said that this is known issue and working on a fix . They provided commend to add ciphers bit that did not do much for us .
