12-31-2020 10:24 AM - edited 12-31-2020 10:30 AM
Is anyconnect 4.9 supported on an ASA-5516x? According to the release notes it states:
Note | DTLSv1.2 is supported on all ASA models except the 5506-X, 5508-X, and 5516-X and applies when the ASA is acting as a server only, not a client. DTLS 1.2 supports additional ciphers, as well as all current TLS/DTLS ciphers and a larger cookie size. |
Does anyconnect 4.9 require DTLS 1.2? My main concern is CVE's that have been published and if these are not fixed in 4.8 will this require an ASA hardware upgrade?
Solved! Go to Solution.
12-31-2020 10:30 AM - edited 12-31-2020 10:32 AM
No, AnyConnect 4.9 doesn't require DTLS 1.2, you just get the best performance if you did use DTLS 1.2 over previous DTLS versions or just TLS.
12-31-2020 10:30 AM - edited 12-31-2020 10:32 AM
No, AnyConnect 4.9 doesn't require DTLS 1.2, you just get the best performance if you did use DTLS 1.2 over previous DTLS versions or just TLS.
12-31-2020 10:32 AM
Hi @Rob Ingram
Ok, thanks. It will not allow me to connect to the ASA with 4.9 but I assume this is due to the proper DF groups not being enabled?
12-31-2020 10:42 AM
Do you mean DH (Diffie Hellman) groups? Provide your configuration and the output of "show ssl"
12-31-2020 10:53 AM
@Rob Ingram . Sorry I meant DH groups typo. That was the issue. Once I enabled the supported DH groups it connected. I was a bit confused on the article above stating that DTLS1.2 was required. I guess that is for additional features, or as @balaji.bandi mentioned, this is for business compliance requirements.
12-31-2020 10:38 AM - edited 12-31-2020 10:40 AM
It is your business requirement, can the business required DTLS? - there is no must with 4.9
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: