Hi all,

I want to update my 5506-x ASA to tlsv1.2 dtlsv1.2 like this:

ssl server-version tlsv1.2 dtlsv1.2

ssl cipher default custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl cipher dtlsv1 custom "AES256-SHA"

ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl cipher dtlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"

ssl ecdh-group group20

ssl dh-group group24

Example from a forums post, see the same in the Internet.

But in CLI I've got the error:

ciscoasa(config)# ssl server-version tlsv1.2 dtlsv1.2
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#

Using help show that my ASA only support this:

ciscoasa(config)# ssl server-version tlsv1.2 ?

configure mode commands/options:
<cr>
ciscoasa(config)# ssl server-version tlsv1.2

I'm using referring Cisco release notes:

ASA 9.12(4)

ASDM 7.13(1.101)

AnyConnectClient (4.903049)

and my ASA supports:

Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual

My current ssl config is:

ciscoasa# sh run ssl
ssl client-version tlsv1.2
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside3
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 backup
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside3 vpnlb-ip

Any ideas, why my ASA doesn't support dtlsv1.2? 

Many thx