I've not had any issue with the FWM tool's migration accuracy. That said, I've only done about 5-6 migrations using it so I have a limited sample size. I've not done any huge (e.g., 10,000+ line configuration files) with it. My customers tend to have smaller configurations. ... View more

I noticed that. TLS is 1.2, DTLS is not.   I'm wondering if it's FTD vs. ASA thing. I need to upgrade my ASAv to 9.10(1) and compare. ... View more

There is no way within ACS to downgrade / rollback.   If you want to prepare for doing so as a contingency you would have to make and verify a backup of the earlier release(s), then reimage the appliance (if it's hardware) to that earlier version and patch level using the ISO DVD and then finally restore your backup onto it.   If you are upgrading VM-based ACS then you can make a snapshot from ESXi and restore it. A snapshot is best done after stopping the application server. ... View more

I just upgraded my lab - FTD 6.3 (includes LINA / ASA release 9.10(1)3) and pushing AnyConnect 4.7.00136. Note the TLS 1.2 connection:   > show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : user1 Index : 5 Assigned IP : 172.31.1.211 Public IP : 192.168.0.107 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1 Bytes Tx : 32022 Bytes Rx : 34713 Pkts Tx : 129 Pkts Rx : 278 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : CCIELab_GP Tunnel Group : CCIELab_VPN Login Time : 03:52:57 UTC Thu Dec 6 2018 Duration : 0h:02m:21s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : ac1f0101000050005c089d19 Security Grp : none Tunnel Zone : 0 AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 5.1 Public IP : 192.168.0.107 Encryption : none Hashing : none TCP Src Port : 23728 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : win Client OS Ver: 10.0.17134 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 8454 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 5.2 Assigned IP : 172.31.1.211 Public IP : 192.168.0.107 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 23732 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 8454 Bytes Rx : 496 Pkts Tx : 6 Pkts Rx : 5 Pkts Tx Drop : 0 Pkts Rx Drop : 0 DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : 172.31.1.211 Public IP : 192.168.0.107 Encryption : AES256 Hashing : SHA1 Ciphersuite : DHE-RSA-AES256-SHA Encapsulation: DTLSv1.0 UDP Src Port : 51520 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136 Bytes Tx : 15114 Bytes Rx : 34217 Pkts Tx : 117 Pkts Rx : 273 Pkts Tx Drop : 0 Pkts Rx Drop : 0 > show running-config ssl ssl server-version tlsv1.2 ssl cipher tlsv1.2 high ssl dh-group group1 ssl trust-point VPN_Cert_Enrollment ssl trust-point VPN_Cert_Enrollment Outside-Home > > show version ---------[ vftd-new.ccielab.mrneteng.com ]---------- Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.3.0 (Build 83) UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7 Rules update version : 2018-12-03-001-vrt VDB version : 307 ---------------------------------------------------- > system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. vftd-new> show ver vftd-new> show version ---------[ vftd-new.ccielab.mrneteng.com ]---------- Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.3.0 (Build 83) UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7 Rules update version : 2018-12-03-001-vrt VDB version : 307 ---------------------------------------------------- Cisco Adaptive Security Appliance Software Version 9.10(1)3 Firepower Extensible Operating System Version 2.4(1.216) Compiled on Tue 27-Nov-18 12:00 PST by builders System image file is "boot:/asa9101-3-smp-k8.bin" Config file at boot was "startup-config" vftd-new up 1 hour 0 mins Hardware: ASAv, 8192 MB RAM, CPU Pentium II 2100 MHz, 1 CPU (4 cores) Model Id: ASAv30 Internal ATA Compact Flash, 50176MB Slot 1: ATA Compact Flash, 50176MB BIOS Flash Firmware Hub @ 0x0, 0KB 0: Int: Internal-Data0/0 : address is 000c.2924.8e3e, irq 10 1: Ext: GigabitEthernet0/0 : address is 000c.2924.8e48, irq 5 2: Ext: GigabitEthernet0/1 : address is 000c.2924.8e52, irq 9 3: Ext: GigabitEthernet0/2 : address is 000c.2924.8e5c, irq 11 4: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0 5: Int: Internal-Data0/0 : address is 0000.0000.0000, irq 0 6: Ext: Management0/0 : address is 000c.2924.8e3e, irq 0 7: Int: Internal-Data0/1 : address is 0000.0000.0000, irq 0 8: Int: Internal-Data0/2 : address is 0000.0000.0000, irq 0 Serial Number: 9ADK32SQAT2 Image type : Release Key version : A Configuration last modified by enable_1 at 03:41:24.871 UTC Thu Dec 6 2018 vftd-new>   ... View more

The original poster was asking about ASA 5510 which uses the older PAK-based licenses and associated activation keys.   From your output it appears you are using Smart Licensing. Are you working with an ASAv? If so then your must have the licenses allocated via your Smart license account and then you can assign them to any eligible Smart-licensed devices such as an ASAv. ... View more