https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4691844#M1093568 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/89946">@Alex Ribas</a> TLS 1.2 is supported on the 5516, but DTLS 1.2 is not. In your output above you've set - "ssl server-version tlsv1.2 dtlsv<STRONG>1.2" </STRONG>&lt; change that to DTLS 1.0.</P> Thu, 22 Sep 2022 09:08:58 GMT Rob Ingram 2022-09-22T09:08:58Z https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4691842#M1093567 <P>Hi all</P> <P>We have an ASA-5516X with the latest recommended version 9.16(2). I get the below error. I should be able to use TLS1.2 along with DTLSv1 no?</P> <P><BR />ssl server-version tlsv1.2 ?</P> <P><BR />configure mode commands/options:<BR />&lt;cr&gt;<BR />ssl server-version tlsv1.2 dtlsv1.2<BR />^<BR />ERROR: % Invalid input detected at '^' marker.</P> <P>xxxxxxxxxx3# sh run boot<BR />boot system disk0:/asa9-16-2-lfbff-k8.SPA<BR />xxxxxxxxxxx# sh ver | i AES<BR />Encryption-3DES-AES : Enabled perpetual<BR />Encryption-3DES-AES : Enabled perpetual<BR />xxxxxx# sh ver | i server-version<BR />xxxxxxxxx# sh run | i server-ve<BR />ssl server-version tlsv1.2</P> <P>Any ideas?</P> <P>Thank you</P> <P>AlexRibas</P> Thu, 22 Sep 2022 09:05:37 GMT https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4691842#M1093567 Alex Ribas 2022-09-22T09:05:37Z https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4691844#M1093568 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/89946">@Alex Ribas</a> TLS 1.2 is supported on the 5516, but DTLS 1.2 is not. In your output above you've set - "ssl server-version tlsv1.2 dtlsv<STRONG>1.2" </STRONG>&lt; change that to DTLS 1.0.</P> Thu, 22 Sep 2022 09:08:58 GMT https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4691844#M1093568 Rob Ingram 2022-09-22T09:08:58Z https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4692206#M1093596 <P>Hi&nbsp;</P> <P>I don't have this option&nbsp;</P> <P>ssl server-version ?</P> <P>configure mode commands/options:<BR />tlsv1 Enter this keyword to accept SSLv2 ClientHellos and negotiate TLSv1<BR />(or greater)<BR />tlsv1.1 Enter this keyword to accept SSLv2 ClientHellos and negotiate<BR />TLSv1.1 (or greater)<BR />tlsv1.2 Enter this keyword to accept SSLv2 ClientHellos and negotiate<BR />TLSv1.2 (or greater)<BR /><BR /></P> Thu, 22 Sep 2022 16:04:36 GMT https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4692206#M1093596 Alex Ribas 2022-09-22T16:04:36Z https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4692209#M1093597 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/89946">@Alex Ribas</a> ok, so just set ""ssl server-version tlsv1.2" the default and only version of DTLS 1.0 will be used.</P> Thu, 22 Sep 2022 16:09:58 GMT https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4692209#M1093597 Rob Ingram 2022-09-22T16:09:58Z https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4692220#M1093598 <P>Yes but the point is we need use 1.2</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlexRibas_0-1663863333740.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/163148i79E0FE2646C88B79/image-size/medium?v=v2&amp;px=400" role="button" title="AlexRibas_0-1663863333740.png" alt="AlexRibas_0-1663863333740.png" /></span></P> <P>&nbsp;</P> Thu, 22 Sep 2022 16:15:50 GMT https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4692220#M1093598 Alex Ribas 2022-09-22T16:15:50Z https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4692223#M1093599 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/89946">@Alex Ribas</a> but like I said in the initial response, DTLS 1.2 is not supported on the 5516.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html#id_25471" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html#id_25471</A></P> <P>"DTLS 1.2, as defined in RFC- 6347, is now supported for AnyConnect remote access in addition to the currently supported DTLS 1.0 (1.1 version number is not used for DTLS.) This applies to all ASA models <STRONG>except</STRONG> the 5506-X, 5508-X, and <STRONG>5516-X"</STRONG></P> <P>So you can only use TLS 1.2 and DTLS 1.0 on the 5516, you'd have to replace the hardware to be able to use DTLS 1.2.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Sep 2022 16:20:53 GMT https://community.cisco.com/t5/network-security/asa5516-x-unable-to-set-tlsv1-2/m-p/4692223#M1093599 Rob Ingram 2022-09-22T16:20:53Z