ASA5508-x unable to set TLSv1.2

kgula · ‎05-27-2022

Hi guys, I have an ASA-5508X w/ firepower that I recently upgraded to the latest recommended version 9.16(2)14. We are using Anyconnect and a recent security audit detected that TLS 1 and 1.1 are allowed on the outside IP. Using the latest ASDM 7.16(1)150 I can see that under SSL settings it is set to use TLS v1 as the minimum version as a server and DTLSV1. I'm aware that the 5508 does not support DTLSv1.2, however when I try to change the minimum TLS version to 1.2 I get the below error. Any ideas why? I should be able to use TLS1.2 along with DTLSv1 no?

[ERROR] ssl server-version tlsv1.2 dtlsv1
	
ssl server-version tlsv1.2 dtlsv1
                  ^
ERROR: % Invalid input detected at '^' marker.

Marvin Rhoads · ‎05-29-2022

Can you conform that you have the 3DES-AES license installed?

My ASA 5506-x with a slightly older version does support the TLS1.2 setting:

asa5506-lab# sh run boot
boot system disk0:/asa9-15-1-7-lfbff-k8.SPA
asa5506-lab# sho ver | i AES
Encryption-3DES-AES               : Enabled        perpetual
asa5506-lab# sh run | i server-version
ssl server-version tlsv1.2
asa5506-lab#

I updated it since it's just a lab ASA and it still supports 1.2:

asa5506-lab# sh ver | i SPA   
System image file is "disk0:/asa9-16-2-14-lfbff-k8.SPA"
asa5506-lab# sh run | i server-version
ssl server-version tlsv1.2
asa5506-lab#