02-17-2021 06:12 AM
Hi all,
I want to update my 5506-x ASA to tlsv1.2 dtlsv1.2 like this:
ssl server-version tlsv1.2 dtlsv1.2
ssl cipher default custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"
ssl cipher dtlsv1 custom "AES256-SHA"
ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"
ssl cipher dtlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"
ssl ecdh-group group20
ssl dh-group group24
Example from a forums post, see the same in the Internet.
But in CLI I've got the error:
ciscoasa(config)# ssl server-version tlsv1.2 dtlsv1.2
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#
Using help show that my ASA only support this:
ciscoasa(config)# ssl server-version tlsv1.2 ?
configure mode commands/options:
<cr>
ciscoasa(config)# ssl server-version tlsv1.2
I'm using referring Cisco release notes:
ASA 9.12(4)
ASDM 7.13(1.101)
AnyConnectClient (4.903049)
and my ASA supports:
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
My current ssl config is:
ciscoasa# sh run ssl
ssl client-version tlsv1.2
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside3
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 backup
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside3 vpnlb-ip
Any ideas, why my ASA doesn't support dtlsv1.2?
Many thx
Solved! Go to Solution.
02-18-2021 03:55 AM
Many thx
02-17-2021 06:16 AM - edited 02-17-2021 06:18 AM
Hi @1pdemharter
Unfortunately, DTLS 1.2 is not supported on the 5506
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn63389
Your options are to upgrade the hardware, I would suggest the FPR1010 which would support DTLS 1.2 using ASA or FTD software.
HTH
02-18-2021 03:55 AM
Many thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide