diff --git a/NEWS b/NEWS
index b8c7b3a0..14acb460 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@
   multiple concurrent connections (#310)
 - Added namespace support for listen address by introducing the
   listen-netns  option (#189)
+- Disable TLS1.3 when cisco client compatibility is enabled. New
+  anyconnect clients seem to supporting TLS1.3 but unable to handle
+  a client with an RSA key (#318)
 
 
 * Version 1.1.0 (released 2020-06-16)
diff --git a/src/config.c b/src/config.c
index 5f5c2b0f..abe6e879 100644
--- a/src/config.c
+++ b/src/config.c
@@ -1414,11 +1414,18 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
 #endif
 
 	if (config->priorities == NULL) {
-		/* on vhosts assign the main host priorities */
+		char *tmp = "";
+		/* on vhosts assign the main host priorities. We furthermore disable TLS1.3 on Cisco clients
+		 * due to issue #318. */
+
+		if (config->cisco_client_compat) {
+			tmp = ":-VERS-TLS1.3";
+		}
+
 		if (defvhost) {
-			config->priorities = talloc_strdup(config, defvhost->perm_config.config->priorities);
+			config->priorities = talloc_asprintf(config, "%s%s", defvhost->perm_config.config->priorities, tmp);
 		} else {
-			config->priorities = talloc_strdup(config, "NORMAL:%SERVER_PRECEDENCE:%COMPAT");
+			config->priorities = talloc_asprintf(config, "%s%s", "NORMAL:%SERVER_PRECEDENCE:%COMPAT", tmp);
 		}
 	}