cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2577
Views
10
Helpful
2
Replies

SSL Ciphers different between 5525x and 5555x ?

Tim Glen
Cisco Employee
Cisco Employee

Good Afternoon, 

I have an ASA 5525x and an ASA 5555x.  Both of them run 9.4(2.6).

The 5525x supports all the new ciphers that are discussed in the release notes. 

lab-asa5525x# sh ssl ciphers
Current cipher configuration:
default (fips):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (custom): ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
dtlsv1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
lab-asa5525x#
lab-asa5525x# sh runn all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256"
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point 2016-03.lab-asa Outside
ssl certificate-authentication fca-timeout 2
lab-asa5525x#

The 5555x does not support any of the elliptical curve ciphers that are discussed in the release notes. 

ASA5555x-01# sh ssl ciphers
Current cipher configuration:
default (medium):
DHE-RSA-AES256-SHA256
AES256-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1.2 (medium):
DHE-RSA-AES256-SHA256
AES256-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
ASA5555x-01#
ASA5555x-01# sh runn all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point 2016-03.ssl-vpn Outside_85
ssl certificate-authentication fca-timeout 2
ASA5555x-01#

I opened a TAC case and the TAC engineer's 5585 also running 9.4(2.6) does not support the EC ciphers?  

Can anyone help me figure out what I am missing ?    All -x ASA platforms should support the same features, right? 

Thank you

Tim

1 Accepted Solution

Accepted Solutions