ā09-22-2022 02:05 AM
Hi all
We have an ASA-5516X with the latest recommended version 9.16(2). I get the below error. I should be able to use TLS1.2 along with DTLSv1 no?
ssl server-version tlsv1.2 ?
configure mode commands/options:
<cr>
ssl server-version tlsv1.2 dtlsv1.2
^
ERROR: % Invalid input detected at '^' marker.
xxxxxxxxxx3# sh run boot
boot system disk0:/asa9-16-2-lfbff-k8.SPA
xxxxxxxxxxx# sh ver | i AES
Encryption-3DES-AES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
xxxxxx# sh ver | i server-version
xxxxxxxxx# sh run | i server-ve
ssl server-version tlsv1.2
Any ideas?
Thank you
AlexRibas
Solved! Go to Solution.
ā09-22-2022 09:19 AM - edited ā09-22-2022 09:20 AM
@Alex Ribas but like I said in the initial response, DTLS 1.2 is not supported on the 5516.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html#id_25471
"DTLS 1.2, as defined in RFC- 6347, is now supported for AnyConnect remote access in addition to the currently supported DTLS 1.0 (1.1 version number is not used for DTLS.) This applies to all ASA models except the 5506-X, 5508-X, and 5516-X"
So you can only use TLS 1.2 and DTLS 1.0 on the 5516, you'd have to replace the hardware to be able to use DTLS 1.2.
ā09-22-2022 02:08 AM
@Alex Ribas TLS 1.2 is supported on the 5516, but DTLS 1.2 is not. In your output above you've set - "ssl server-version tlsv1.2 dtlsv1.2" < change that to DTLS 1.0.
ā09-22-2022 09:04 AM
Hi
I don't have this option
ssl server-version ?
configure mode commands/options:
tlsv1 Enter this keyword to accept SSLv2 ClientHellos and negotiate TLSv1
(or greater)
tlsv1.1 Enter this keyword to accept SSLv2 ClientHellos and negotiate
TLSv1.1 (or greater)
tlsv1.2 Enter this keyword to accept SSLv2 ClientHellos and negotiate
TLSv1.2 (or greater)
ā09-22-2022 09:09 AM
@Alex Ribas ok, so just set ""ssl server-version tlsv1.2" the default and only version of DTLS 1.0 will be used.
ā09-22-2022 09:15 AM
Yes but the point is we need use 1.2
ā09-22-2022 09:19 AM - edited ā09-22-2022 09:20 AM
@Alex Ribas but like I said in the initial response, DTLS 1.2 is not supported on the 5516.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html#id_25471
"DTLS 1.2, as defined in RFC- 6347, is now supported for AnyConnect remote access in addition to the currently supported DTLS 1.0 (1.1 version number is not used for DTLS.) This applies to all ASA models except the 5506-X, 5508-X, and 5516-X"
So you can only use TLS 1.2 and DTLS 1.0 on the 5516, you'd have to replace the hardware to be able to use DTLS 1.2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide