cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2274
Views
6
Helpful
5
Replies

ASA5516-x unable to set TLSv1.2

Alex Ribas
Level 1
Level 1

Hi all

We have an ASA-5516X with the latest recommended version 9.16(2). I get the below error. I should be able to use TLS1.2 along with DTLSv1 no?


ssl server-version tlsv1.2 ?


configure mode commands/options:
<cr>
ssl server-version tlsv1.2 dtlsv1.2
^
ERROR: % Invalid input detected at '^' marker.

xxxxxxxxxx3# sh run boot
boot system disk0:/asa9-16-2-lfbff-k8.SPA
xxxxxxxxxxx# sh ver | i AES
Encryption-3DES-AES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
xxxxxx# sh ver | i server-version
xxxxxxxxx# sh run | i server-ve
ssl server-version tlsv1.2

Any ideas?

Thank you

AlexRibas

1 Accepted Solution

Accepted Solutions

@Alex Ribas but like I said in the initial response, DTLS 1.2 is not supported on the 5516.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html#id_25471

"DTLS 1.2, as defined in RFC- 6347, is now supported for AnyConnect remote access in addition to the currently supported DTLS 1.0 (1.1 version number is not used for DTLS.) This applies to all ASA models except the 5506-X, 5508-X, and 5516-X"

So you can only use TLS 1.2 and DTLS 1.0 on the 5516, you'd have to replace the hardware to be able to use DTLS 1.2.

 

 

 

View solution in original post

5 Replies 5

@Alex Ribas TLS 1.2 is supported on the 5516, but DTLS 1.2 is not. In your output above you've set - "ssl server-version tlsv1.2 dtlsv1.2" < change that to DTLS 1.0.

Hi 

I don't have this option 

ssl server-version ?

configure mode commands/options:
tlsv1 Enter this keyword to accept SSLv2 ClientHellos and negotiate TLSv1
(or greater)
tlsv1.1 Enter this keyword to accept SSLv2 ClientHellos and negotiate
TLSv1.1 (or greater)
tlsv1.2 Enter this keyword to accept SSLv2 ClientHellos and negotiate
TLSv1.2 (or greater)

@Alex Ribas ok, so just set ""ssl server-version tlsv1.2" the default and only version of DTLS 1.0 will be used.

Yes but the point is we need use 1.2

AlexRibas_0-1663863333740.png

 

@Alex Ribas but like I said in the initial response, DTLS 1.2 is not supported on the 5516.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html#id_25471

"DTLS 1.2, as defined in RFC- 6347, is now supported for AnyConnect remote access in addition to the currently supported DTLS 1.0 (1.1 version number is not used for DTLS.) This applies to all ASA models except the 5506-X, 5508-X, and 5516-X"

So you can only use TLS 1.2 and DTLS 1.0 on the 5516, you'd have to replace the hardware to be able to use DTLS 1.2.

 

 

 

Review Cisco Networking for a $25 gift card