Cisco | ASA disable SSL 3.0 settings and change it to TLS V1.2

To see if you SSL version for AnyConnect is on a safe level. You want to check this first via the following website https://www.ssllabs.com/ssltest/analyze.html
You need to enter your domain name which you use to connect with the clients to logon to.
For this you need to use at lease ASA software version 9.3(2) or later In earlier versions the TLS 1.2 is not supported.
To configure the TLS 1.2, you can use 2 options. via the command line or via the ASDM.
First via the Command Line, you need to enter the following command’s

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl dh-group group24

After you changed this you can to a recheck via the earlier given website.
If you want to set this settings via the ASDM you need to go to
Remote Access VPN > Advanced > SSL Settings
SSL-TLS-SettingsSet the version for server as for client to TLS V1.2 put the Diffie-Hellman Group to 24 most secure option which is available. At the Encryption put the TLS V1.2 to High.
When you do the re-check you will see the follow output
ssl-check

16 thoughts on “Cisco | ASA disable SSL 3.0 settings and change it to TLS V1.2”

    1. this is an issue of the ASA software version. I think you have some out dated version or a cisco 5510 which is not able to ehave this versions.
      I don’t have a fix for it.

    2. Dear Capricorn!
      change ssl cipher from  ”ssl cipher tlsv1.2 high”     to  ”ssl cipher tlsv1.2 medium” and the magic will begin. your ASDM will start working again.
      Goodluck!

  1. Does the “Diffie-Hellman Group 24” option require the new Apex licensing with AnyConnect 4.x? I am trying to determine if I can get away with Plus licensing or not to pass the Qualys SSL labs test. Thanks.

    1. I have no idea if you have the old licensing than you could try to see if it works. if not than you can always request voor the Apex licensing.

      1. Hi Fred, I’m using the latest AnyConnect 3.x available. After making the changes above, AnyConnect no longer connects. I had to revert the changes for my users so they could vpn again.

  2. It looks like AnyConnect 3.x is not compatible with TLS 1.2. You need to upgrade to support AnyConnect 4.x.

  3. Pingback: Cisco | ASA disable SSL 3.0 settings and change it to TLS V1.2 – Mr.T

    1. You should check for interim updates of cisco. otherwsie think about to replace the cisco device for a newer model. that’s the best what i could suggest. We are replacing the 5510 now for customers because the support will end soon of this product or is already expired and cisco has the product as EoL.

Leave a Reply to WilCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.