Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2591
Views
20
Helpful
8
Replies

SSL Ciphers

Go to solution
wynneitmgr
Level 3
Level 3

‎10-07-2020 06:12 AM

Is there any good documentation on changing/configuring the SSL ciphers on an ASA 5508 using ASDM? We are having issues with our Cisco AnyConnect connecting to our VPN on phones and tablets. It works fine on PCs. Cisco TAC recommended changing the SSL ciphers on the ASA.

 

Thank you for any help!!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-07-2020 06:42 AM

Hi @wynneitmgr 

Be careful before you make those changes, make sure you take a backup before you do anything.

 

It looks like TAC has provided the exact commands for you to copy and paste via the CLI. If you login to the ASA using SSH you should just be able to paste the commands. Else if you want to do via ASDM, just modify TLS.12, change to custom and paste the ciphers is quote marks "". From the Diffe-Helleman group drop-down list select group14. Make sure you apply and save afterwards.

View solution in original post

8 Replies 8

Go to solution
wynneitmgr
Level 3
Level 3
In response to balaji.bandi

‎10-07-2020 06:23 AM

@balaji.bandi 

 

Thanks for your reply! Here is what Cisco TAC told me I should do, I just don't know how to do it.

ssl server-version tlsv1.2

ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256"

ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA"

ssl dh-group group14

ssl ecdh-group group19

 

Here are my SSL Settings in ASDM:

sslciphers1.png

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-07-2020 06:42 AM

Hi @wynneitmgr 

Be careful before you make those changes, make sure you take a backup before you do anything.

 

It looks like TAC has provided the exact commands for you to copy and paste via the CLI. If you login to the ASA using SSH you should just be able to paste the commands. Else if you want to do via ASDM, just modify TLS.12, change to custom and paste the ciphers is quote marks "". From the Diffe-Helleman group drop-down list select group14. Make sure you apply and save afterwards.

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎10-07-2020 06:45 AM

@Rob Ingram 

Thanks Rob! Will I need to reboot the Firewall after making the changes. Will this affect any connected users? Just trying to think if I should do this after hours or not. Thanks again.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-07-2020 06:52 AM

No you don't need to reboot the firewall after makes these changes. I don't believe the changes should not affect existing sessions, they will take affect for new sessions once the settings have been applied.

 

If I was you I'd test post-change with all devices just make sure they still work, as you probably know each type of device does not necessarily behave the same as another.

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎10-07-2020 07:03 AM

@Rob Ingram 

How do I backup the ASA in ASDM before I make the changes? Thanks for your help, I appreciate it.

0 Helpful

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎10-07-2020 07:07 AM

@Rob Ingram 

Thanks! I did figure it out. The Help feature has a lot of information in ASDM.

0 Helpful
Customers Also Viewed These Support Documents