topic Re: ASA 5516 upgrade to 9,16 in Network Security

ASA 5516 upgrade to 9,16

AirSail — Wed, 23 Aug 2023 10:14:59 GMT

Hello ASA Gurus,

I have an ASA 5516 running 9.9 and I m planning to upgrade to 9.16 (the latest supported version)

This ASA is used as a main VPN concentrator,

S2S VPNs are kind of mix, Ikev1 with old encryption ciphers, and others with Ikev2 with strong/recommended cipher,

I walked through version guidelines, and some mentioned that some ciphers are deprecated, so the first thing that I m thinking about is if I shoot for an upgrade to 9.16, am I going to break the working VPNs that I have?

Thanks,

Re: ASA 5516 upgrade to 9,16

Marius Gunnerud — Mon, 21 Aug 2023 22:44:17 GMT

I would suggest reviewing your vpn configuration and correct any deprecated / removed sytanx. check the 9.15 removed encryption ciphers in this link: https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#reference_rql_v5v_wpb

Re: ASA 5516 upgrade to 9,16

AirSail — Mon, 21 Aug 2023 22:47:25 GMT

So you think if I upgrade to 9.16 without updating my S2S parameters for sure the affected VPNs will go down?

Re: ASA 5516 upgrade to 9,16

Marvin Rhoads — Tue, 22 Aug 2023 03:01:36 GMT

@AirSail most likely they will go down. This is explained explicitly in the link provided by @Marius Gunnerud :

Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:

The command will use the default cipher.
The command will be removed.

Re: ASA 5516 upgrade to 9,16

Marius Gunnerud — Tue, 22 Aug 2023 05:34:15 GMT

This depends on how your S2S VPNs are configured, and which is why I said review your configuration. If you do have any configuration that references those that are removed in the list for 9.15 your S2S VPNs will most likely stop working.

Re: ASA 5516 upgrade to 9,16

AirSail — Mon, 04 Sep 2023 17:58:30 GMT

@Marvin Rhoads I started the checks, and it takes a bunch of time, is there any automated tool from Cisco where I can insert the running config so it can verify and flag what's been deleted/deprecated?

Re: ASA 5516 upgrade to 9,16

Marvin Rhoads — Tue, 05 Sep 2023 12:25:38 GMT

@AirSail, not as far as I know.

You could spin up an ASAv and load the current running-config from your live ASA into it. The console log will show you any errors the command parser encounters.

Re: ASA 5516 upgrade to 9,16

AirSail — Sat, 27 Apr 2024 11:27:52 GMT

Hello Marvin,

It's an old conversation but that topic prompted me, I m running now into another use case with the same thing,

I want to try now the ASAv(EVENG) method to insert my config and look at the logs,

should I perform a tftp configuration restore? a console prompt will show up with a sort of summary of what it s need to be updated ?

what is the best way, process to do it ?

Re: ASA 5516 upgrade to 9,16

Marvin Rhoads — Sun, 28 Apr 2024 09:38:37 GMT

Yes - copy whatever config you want to analyze into startup-config and then reload the ASAv while capturing console output.