Solved: Re: ASA 9.8

KayaaKashyap · ‎04-17-2026

Hi,

I am looking for official document for ASA 9.8 as I need to check if it supports PFS 24 for S2S VPN.

Please help me

Rob Ingram · ‎04-17-2026

@KayaaKashyap yes, PFS group 24 appears to be supported on ASA 9.8, but with IKEv2 (not IKEv1).

ciscoasa(config)# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

ciscoasa(config)# crypto map CMAP 1 set pfs ?

configure mode commands/options:
group1 D-H Group 1
group14 D-H Group 14 (Unsupported for IKEv1)
group19 D-H Group 19 (Unsupported for IKEv1)
group2 D-H Group 2
group20 D-H Group 20 (Unsupported for IKEv1)
group21 D-H Group 21 (Unsupported for IKEv1)
group24 D-H Group 24 (Unsupported for IKEv1)
group5 D-H Group 5
<cr>

View solution in original post

Rob Ingram · ‎04-17-2026

@KayaaKashyap 9.8 is so old not all the guides are on the official cisco website, 9.12 is the oldest version and it does support PFS group 24. I can fire up 9.8 in my lab at somepoint and confirm, if required.

Regardless, 9.8 is EOL and will have multiple vulnerabilities, I would recommend upgrading to a supported version.

KayaaKashyap · ‎04-17-2026

If you can test it in your lab, it will be really helpful. Yes I agree it is EOL, we are planning to upgrade to NGFW FTDs.

Rob Ingram · ‎04-17-2026

@KayaaKashyap yes, PFS group 24 appears to be supported on ASA 9.8, but with IKEv2 (not IKEv1).

ciscoasa(config)# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

ciscoasa(config)# crypto map CMAP 1 set pfs ?

configure mode commands/options:
group1 D-H Group 1
group14 D-H Group 14 (Unsupported for IKEv1)
group19 D-H Group 19 (Unsupported for IKEv1)
group2 D-H Group 2
group20 D-H Group 20 (Unsupported for IKEv1)
group21 D-H Group 21 (Unsupported for IKEv1)
group24 D-H Group 24 (Unsupported for IKEv1)
group5 D-H Group 5
<cr>