I was unaware of the tunnel optimization switches, is there a description anywhere of what this does?  Since 5516 inexplicably does not support DTLS 1.2 it would be interesting to know if the "optimizations" are even relevant on that platform.

As far as I know the tunnel optimization switches haven't been documented beyond the links I provided.

The ASA 5516-X does support DTLS 1.2. You need to be running either ASA 9.10+ or FTD 6.6 along with AnyConnect 4.7+.

I have not been able to get the 5516 to switch to DTLS1.2 and I thought it was not supported for it.

I am running ASA 9.12(4) and ASDM 7.14(1) with AnyConnect 4.8.03052.  If I do "ssl server-version tlsv1.2 dtlsv1.2" I get an error "invalid input detected" with the caret right after "server-version".  This is the command that the ASDM attempts if you change the radio button to DTLS1.2.  Since this works on a 5555...

Does your 5516-X have the 3DES-AES license?

Yes, if I look in the licenses section it says "enabled" for Encryption-3DES-AES with a perpetual license.  AnyConnect clients sessions to this 5516 negotiate AES256.  I should note that the 5516 is just using the 4 built in anyconnect premium peer licenses since it never sees more than two connections at once.

On a related note, I did some testing on one of my 5555's with only a single client connected, and what I saw with the Tunnel Optimizations was not so much a change in peak throughput as that it stayed more consistently near the peak throughput, which is nice of course since it means higher effective throughput even if the peaks aren't significantly higher.

Are you able to enter this:

ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"

in configure mode?

It should be supported per the command reference and I don't see any caveats with ASA 5516-X.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315

Yeah that works fine.

I have noticed one difference between trying to enable dtls1.2 via ASDM vs configure terminal, If I use configure terminal and try "ssl server-version tlsv1.2 dtlsv1.2" it inserts the caret marker under the d in dtls.  If I execute the command using the radio button in ASDM, the caret is under the n.  In both cases it says "invalid input detected".

I have also tried fiddling with settings in the ASDM so that the minimum TLS version allowed is 1.2 for client and server, and I tried setting all of the crypto options to "medium" in Remote Access VPN->Advanced->SSL settings. In the ASDM it shows crypto options for DTLS1.2 (currently set to "medium").

Odd. I wonder if it's a bug. Perhaps you could open a TAC case.

I don't have an ASA 5516 running ASA code to check.