Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
50187
Views
18
Helpful
38
Replies

AnyConnect new feature - DTLSv1.2

Go to solution
robert.robinson.1
Level 1
Level 1

‎12-05-2018 02:02 PM - edited ‎02-21-2020 09:31 PM

With the release of v9.10.1, has anyone been able to get DTLSv1.2 working with AnyConnect sessions? (Our clients are v4.6.02074)


-If I don't specify dtlsv1.2, it will always establish the DTLS tunnel using dtlsv1.0.


-If I do specify dtlsv1.2 with the following config, the DTLS tunnel fails to establish with the message "%ASA-5-722043: Group <groupid> User <userid> IP <ipaddress> DTLS disabled: unable to negotiate cipher".   Removing the "ssl cipher dtlsv1" line makes no difference.

 

ssl server-version tlsv1.2 dtlsv1.2

ssl cipher default custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl cipher dtlsv1 custom "AES256-SHA"

ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl cipher dtlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl ecdh-group group20

ssl dh-group group24

3 people had this problem
Labels:
0 Helpful
38 Replies 38

Go to solution
Rob Ingram
VIP
VIP
In response to Amafsha1

‎03-17-2020 02:49 PM

@Amafsha1DTLS v1.2 was introduced in ASA v9.10, you will need to upgrade.

Go to solution
Amafsha1
Level 2
Level 2
In response to Rob Ingram

‎03-17-2020 03:24 PM

Thank you

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to Rob Ingram

‎05-08-2020 10:54 AM

is it possible to go from 9.8 directly to 9.12 in 1 upgrade?  

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Amafsha1

‎05-08-2020 11:06 AM

Hi,

Yes you can go from ASA 9.8 to 9.12 in one upgrade, reference here.

 

HTH

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to Rob Ingram

‎05-08-2020 11:19 AM

Thank you sir, I can't believe I missed that.  does 9.12 support DTLSv1.2?

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Amafsha1

‎05-08-2020 11:24 AM

Yes, DTLS 1.2 is available in 9.12, reference here.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-07-2020 09:21 AM - edited ‎05-15-2020 05:30 AM

FYI Firepower 6.6 was just released. It now includes TLS 1.2 support for Remote Access VPN.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html#id_111020

DTLS 1.2 in remote access VPN

You can now use Datagram Transport Layer Security (DTLS) 1.2 to encrypt RA VPN connections. Use FTD platform settings to specify the minimum TLS protocol version that the FTD device uses when acting as a, RA VPN server. If you want to specify DTLS 1.2, you must also choose TLS 1.2 as the minimum TLS version. New/modified screens: Devices > Platform Settings > add/edit Threat Defense policy > SSL > DTLS Version option

Supported platforms: FTD

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-07-2021 04:47 AM

s.schuler@sys-tec.info Sorry - my mistake. I was looking at an ASAv earlier.

The ASA5506-X hardware platform DOES NOT support DTLSv1.2. This is true even when running the latest release train (9.15)

Reference: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn63389/?rfs=iqvred

I doubt Cisco will ever fulfill this enhancement request bug since the platform is now end of sales.

Go to solution
logolbq01
Level 1
Level 1
In response to Marvin Rhoads

‎12-18-2021 06:43 AM

You are right  The ASA5512-X   ASA5515-X   ASA5525-X ASA5535-X ASA5545-X   hardware platform support DTLSv1.2.

Customers Also Viewed These Support Documents