cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1054
Views
0
Helpful
2
Replies
1pdemharter
Beginner

Cannot configure ssl server-version tlsv1.2 dtlsv1.2? (ASA VPN AnyConnect)

Hi all,

 

I want to update my 5506-x ASA to tlsv1.2 dtlsv1.2 like this:

 

ssl server-version tlsv1.2 dtlsv1.2

ssl cipher default custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl cipher dtlsv1 custom "AES256-SHA"

ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl cipher dtlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl ecdh-group group20

ssl dh-group group24

 

Example from a forums post, see the same in the Internet.

 

But in CLI I've got the error:

 

ciscoasa(config)# ssl server-version tlsv1.2 dtlsv1.2
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#

Using help show that my ASA only support this:

 

ciscoasa(config)# ssl server-version tlsv1.2 ?

configure mode commands/options:
<cr>
ciscoasa(config)# ssl server-version tlsv1.2

 

I'm using referring Cisco release notes:

 

ASA 9.12(4)

ASDM 7.13(1.101)

AnyConnectClient (4.903049)

 

and my ASA supports:

 

Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual

My current ssl config is:

 

ciscoasa# sh run ssl
ssl client-version tlsv1.2
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside3
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 backup
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside3 vpnlb-ip

Any ideas, why my ASA doesn't support dtlsv1.2? 

Many thx

 

1 ACCEPTED SOLUTION

Accepted Solutions

2 REPLIES 2
Rob Ingram
VIP Mentor

Hi @1pdemharter 

Unfortunately, DTLS 1.2 is not supported on the 5506

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn63389

 

Your options are to upgrade the hardware, I would suggest the FPR1010 which would support DTLS 1.2 using ASA or FTD software.

 

HTH