Solved: Re: Cisco anyconnect with TLS1.2

VijayBhargavR8067 · ‎06-23-2023

All,
In our environment, we have a cisco 5506 (I know its old) but we are running Anyconnect and using Cisco DUO for MFA. Starting July 1st, DUO doesn't support TLS 1.0 & 1.1 protocols. The cisco ASA platform which we are using doesn't have DTLS1.2 capabilities, however, TLS1.2 can be run on the same and even anyconnect client are of version 4.9. So my question is can we configure anyconnect to use only TLS1.2 for few months (post which we will upgrade the device) ? If yes, should I need to change only the below configurations

conf t
SSL version-version tls1.2
SSL cipher TLS1.2 all

or should I need to do more changes (like XML or something)

Rob Ingram · ‎06-23-2023

@VijayBhargavR8067 yes you can configure TLS 1.2 only, those commands look correct, prefer high rather than all.

ssl server-version tlsv1.2
ssl cipher tlsv1.2 high << prefer high

Here is a guide to configure the TLS ciphers on the ASA https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/

View solution in original post

Rob Ingram · ‎06-23-2023

@VijayBhargavR8067 yes you can configure TLS 1.2 only, those commands look correct, prefer high rather than all.

ssl server-version tlsv1.2
ssl cipher tlsv1.2 high << prefer high

Here is a guide to configure the TLS ciphers on the ASA https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/

VijayBhargavR8067 · ‎06-23-2023

Should we configure ssl client-version tlsv1.2 ?

Rob Ingram · ‎06-23-2023

@VijayBhargavR8067 there is no harm in doing it, thats for when the ASA is acting as a client.