How to change Diffle-Hellman Modulus setting on Cisco ASA

Recently our auditor has observed vulnerability in our Cisco ASA firewall and asked us to fix the issue. The reported issue was SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) is used in ASA. In our case, DH-Group 2 was used for AnyConnect connection.

The risk of using 1024 Bits Diffie-Hellman Modulus is SSL/TLS connection can be established by remote host.

Proposed solution by Audit team was to use Diffie Hellman Modulus 2048 bit or higher. This article explains how to change Diffie Hellman Modulus setting.

How to check what group of Diffle-Hellman is used

Firstly, let’s check actually which DH-Group is configured on your ASA. It can be checked by the sh ssl command.

As you can see on the high-lighted line, DH Group group2 (1024-bit modulus) is configured.

Version of Diffle-Hellman is available for your ASA

Now, let’s check what options are available.

See the command output below. I will change it to group14, which has 2048-bit modulus.

Change Diffle-Hellman’s group

With the command above, the DH-Group has been changed to group14.

Check current AnyConnect session

Remember, AnyConnect session will be dropped once you change DH-Group. So, before you issue the command above, let’s check if there is any AnyConnect sessions exist.

If there is no sessions, you will see the similar command output like below.

If there is any sessions, the command output would be like below.