cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
0
Helpful
3
Replies
Highlighted
Beginner

Cisco ASA TLS update to 1.2

Hello everyone, I was planning on migrating my ASA 9.8 to TLS 1.2, the process itself seems pretty simple but was wondering if anyone had any experiences with this, I understand AnyConnect and ASDM services will be affected by this, any recommendations are welcome.

3 REPLIES 3
Highlighted
VIP Advisor

Re: Cisco ASA TLS update to 1.2

Hi,

Do you mean DTLS 1.2? ASA AnyConnect SSLVPNs primarily use DTLS as you get better performance with DTLS, TLS would only usually be used as fall back if DTLS (UDP/443) was blocked. DTLS 1.2 was first introduced with ASA 9.10, 9.12.3 is the current recommended version. You'll will also need to at least use AnyConnect 4.7 to use DTLS 1.2.

 

Client computers should not have an issue running TLS 1.2. When using ASDM with TLS 1.2 then you may need to upgrade the Java version to ensure support.

 

Refer to this page for best practice and performance for ASA.

https://community.cisco.com/t5/security-documents/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579#toc-hId-2147167307

 

HTH

Highlighted
Beginner

Re: Cisco ASA TLS update to 1.2

Thanks! I meant TLS 1.2 on the ASA, not DTLS at the moment:

 

#ssl server-version tlsv1.2

#ssl client-version tlsv1.2

Highlighted
VIP Advisor

Re: Cisco ASA TLS update to 1.2

Ok, if you are using up to date Operating Systems such as Windows 10, they will natively support TLS 1.2, so no issues there.
As mentioned, if using ASDM you might need to upgrade java.