To see if you SSL version for AnyConnect is on a safe level. You want to check this first via the following website https://www.ssllabs.com/ssltest/analyze.html
You need to enter your domain name which you use to connect with the clients to logon to.
For this you need to use at lease ASA software version 9.3(2) or later In earlier versions the TLS 1.2 is not supported.
To configure the TLS 1.2, you can use 2 options. via the command line or via the ASDM.
First via the Command Line, you need to enter the following command’s
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl dh-group group24
After you changed this you can to a recheck via the earlier given website.
If you want to set this settings via the ASDM you need to go to
Remote Access VPN > Advanced > SSL Settings
Set the version for server as for client to TLS V1.2 put the Diffie-Hellman Group to 24 most secure option which is available. At the Encryption put the TLS V1.2 to High.
When you do the re-check you will see the follow output
Thanks for this. After doing these changes the asdm stopped working. Any clue to fix that?
this is an issue of the ASA software version. I think you have some out dated version or a cisco 5510 which is not able to ehave this versions.
I don’t have a fix for it.
Dear Capricorn!
change ssl cipher from  ”ssl cipher tlsv1.2 high”     to  ”ssl cipher tlsv1.2 medium” and the magic will begin. your ASDM will start working again.
Goodluck!
Thanks for your reply.I have asdm 7.6(1) and ASA 9.5(2)2.
Capricorn – you need to download strong encryption from Oracle for Java and ASDM http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Does the “Diffie-Hellman Group 24” option require the new Apex licensing with AnyConnect 4.x? I am trying to determine if I can get away with Plus licensing or not to pass the Qualys SSL labs test. Thanks.
I have no idea if you have the old licensing than you could try to see if it works. if not than you can always request voor the Apex licensing.
Ken Thanks alot. Its working now 🙂
After this anyconnect doesn’t connect, is there a way to fix this?
Check to update the software version which is used.
Hi Fred, I’m using the latest AnyConnect 3.x available. After making the changes above, AnyConnect no longer connects. I had to revert the changes for my users so they could vpn again.
It looks like AnyConnect 3.x is not compatible with TLS 1.2. You need to upgrade to support AnyConnect 4.x.
That is correct i use now only version 4 and higher
Pingback: Cisco | ASA disable SSL 3.0 settings and change it to TLS V1.2 – Mr.T
we are using old ASA 5510 and its running on ASA version 8.2(1).it carries the TLS v1 and still i am facing the poodle error CVE-2014-3566 …what could be the solution for this ?
You should check for interim updates of cisco. otherwsie think about to replace the cisco device for a newer model. that’s the best what i could suggest. We are replacing the 5510 now for customers because the support will end soon of this product or is already expired and cisco has the product as EoL.