cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
1
Helpful
10
Replies

Cisco Secure Firewall Threat Defense V7

Diallo
Level 1
Level 1

Hi guys,
I am asking you for help in activating my DH group 5

dhgroup.PNG

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

its been deprecated 6.7 onwards :

Table 2. Version 6.7.0 Deprecated Features

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html#id_110361

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

So also there is no other possibility of using version 1 or 2

marce1000
VIP
VIP

 

        - Its been flagged as depreciated  , hence can no longer be activated , 

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

So there is no way to activate it???

@Diallo even on 7.3 you can still select DH group 5 to use in an IKEv2 policy. Although I would strongly recommend not doing so, as it's likely this will shortly be removed from FTD altogether (it has already been removed from ASA). I recommend you reconfigure the peer configuration to use a stronger DH group  (19,20 or 21 etc).

RobIngram_0-1697201780367.png

 

I just have to use it in the creation of a VPN with a partner who uses ASA and tells me that he only uses versions 1,2 and 5.

With its status there can it work???

@Diallo yes, but if you use DH group 5 (whilst it's still available to deploy) you will not be able to upgrade your FTD in future, as I already stated the weaker ciphers (including DH group 5) will be removed in upcoming releases. I would suggest the partner upgrades their software to support stronger crypto, the DH groups their software supports is weak and insecure.

@Rob Ingram thank you very much for your suggestions.
You are absolutely right, I will talk to the partner about updating their ASA if possible.

But in the meantime we are going to use group 5 there with its status like that.

I had another customer's peer claim this as well. Often they are Just Wrong. ASA has supported IKEv2 with DH Group 14 since version 9.0 which is available even on the log-past-end-of-life ASA 5500 series (5505/5510/5520/5540/5550/5585).

https://community.cisco.com/t5/network-security/can-diffie-hellman-group-14-be-configured-on-asa5520-v9-1-6-11/td-p/3010274

@Marvin Rhoads thank you very much for your solution I see that this is possible with ASA5520 for group 14

Review Cisco Networking for a $25 gift card