https://community.cisco.com/t5/network-security/asa-5506-unable-to-set-dh-group-20/m-p/2899372#M161670 <P>Hi. I'm having a really weird issue on an ASA 5506 firewall where i'm trying to use DH Group20 on a VPN tunnel. For some odd reason on my crypto map it only gives me the option to set groups 1,2, or 5. But if I were to change the name of the crypto map, I then have the option to set all the other groups.&nbsp;</P> <P>Any ideas?</P> <P></P> <P></P> <P>ASA-5506(config)# crypto map <STRONG>CRYPTO-MAP1</STRONG> 10 set pfs ?</P> <P>configure mode commands/options:<BR /> group1 D-H Group 1<BR /> group2 D-H Group 2<BR /> group5 D-H Group 5<BR /> &lt;cr&gt;<BR />ASA-5506(config)# crypto map <STRONG>CRYPTO-MAP-2</STRONG> 10 set pfs ?</P> <P>configure mode commands/options:<BR /> group1 D-H Group 1<BR /> group14 D-H Group 14 (Unsupported for IKEv1)<BR /> group19 D-H Group 19 (Unsupported for IKEv1)<BR /> group2 D-H Group 2<BR /> group20 D-H Group 20 (Unsupported for IKEv1)<BR /> group21 D-H Group 21 (Unsupported for IKEv1)<BR /> group24 D-H Group 24 (Unsupported for IKEv1)<BR /> group5 D-H Group 5<BR /> &lt;cr&gt;<BR />ASA-5506(config)#</P> Tue, 12 Mar 2019 07:52:05 GMT Charger1129 2019-03-12T07:52:05Z https://community.cisco.com/t5/network-security/asa-5506-unable-to-set-dh-group-20/m-p/2899372#M161670 <P>Hi. I'm having a really weird issue on an ASA 5506 firewall where i'm trying to use DH Group20 on a VPN tunnel. For some odd reason on my crypto map it only gives me the option to set groups 1,2, or 5. But if I were to change the name of the crypto map, I then have the option to set all the other groups.&nbsp;</P> <P>Any ideas?</P> <P></P> <P></P> <P>ASA-5506(config)# crypto map <STRONG>CRYPTO-MAP1</STRONG> 10 set pfs ?</P> <P>configure mode commands/options:<BR /> group1 D-H Group 1<BR /> group2 D-H Group 2<BR /> group5 D-H Group 5<BR /> &lt;cr&gt;<BR />ASA-5506(config)# crypto map <STRONG>CRYPTO-MAP-2</STRONG> 10 set pfs ?</P> <P>configure mode commands/options:<BR /> group1 D-H Group 1<BR /> group14 D-H Group 14 (Unsupported for IKEv1)<BR /> group19 D-H Group 19 (Unsupported for IKEv1)<BR /> group2 D-H Group 2<BR /> group20 D-H Group 20 (Unsupported for IKEv1)<BR /> group21 D-H Group 21 (Unsupported for IKEv1)<BR /> group24 D-H Group 24 (Unsupported for IKEv1)<BR /> group5 D-H Group 5<BR /> &lt;cr&gt;<BR />ASA-5506(config)#</P> Tue, 12 Mar 2019 07:52:05 GMT https://community.cisco.com/t5/network-security/asa-5506-unable-to-set-dh-group-20/m-p/2899372#M161670 Charger1129 2019-03-12T07:52:05Z https://community.cisco.com/t5/network-security/asa-5506-unable-to-set-dh-group-20/m-p/2899373#M161672 <P>This behavior is shown if the crypto map sequence is already in use with a peer that uses IKEv1. Is that the case for "CRYPTO-MAP1 10"? If you test it with the same crypto map but an unused sequence, then you should also see all DH-groups for PFS.</P> Tue, 14 Jun 2016 09:58:47 GMT https://community.cisco.com/t5/network-security/asa-5506-unable-to-set-dh-group-20/m-p/2899373#M161672 Karsten Iwen 2016-06-14T09:58:47Z https://community.cisco.com/t5/network-security/asa-5506-unable-to-set-dh-group-20/m-p/2899374#M161674 <P>Really appreciate the help! you were exactly right. Once i removed the last line in bold I was good to go. I didn't realize I added that in there. Thanks again!&nbsp;</P> <P></P> <P>crypto map CRYPTO-MAP 10 match address ACL_1_VPN_TUNNEL<BR />crypto map CRYPTO-MAP 10 set pfs group5<BR />crypto map CRYPTO-MAP 10 set peer REMOTE-ASA<BR /><STRONG>crypto map CRYPTO-MAP 10 set ikev1 transform-set ESP-3DES-SHA-TRANS</STRONG></P> Tue, 14 Jun 2016 14:07:56 GMT https://community.cisco.com/t5/network-security/asa-5506-unable-to-set-dh-group-20/m-p/2899374#M161674 Charger1129 2016-06-14T14:07:56Z