topic Re: ASA Upgrade from 9.10(1) to 9.20(3) on ASAv – Best Practices in Network Security

ASA Upgrade from 9.10(1) to 9.20(3) on ASAv – Best Practices

Zaza1 — Thu, 24 Jul 2025 07:01:18 GMT

Hello everyone,

I'm planning to upgrade our Cisco ASAv from version **9.10(1)42** to **9.20(3)20** directly.

📌 Current environment:
- **Platform**: Cisco ASAv (virtual appliance)

❓ Questions:
1. Is a **direct upgrade** from 9.10 to 9.20 supported and stable for ASAv?
2. What **config or syntax changes** should I expect (e.g., SSL/TLS, VPN settings)?
3. Do I need to upgrade ASDM as well, and to which version?
4. Any known issues or rollback recommendations?

Can anyone tell me the best practices for this progress?

Thanks in advance for any guidance or experiences shared!

Re: ASA Upgrade from 9.10(1) to 9.20(3) on ASAv – Best Practices

Rob Ingram — Thu, 24 Jul 2025 07:42:20 GMT

@Zaza1 refer to table 9 https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_58680 reveals you can go direct from 9.10 to 9.20.

You should upgrade to at least ASDM version 7.20(2) or higher when using ASA 9.20

Between ASA version 9.10 and 9.20 Cisco has depreciated old weak crypto ciphers (DH groups, encryption algorthims and hash algorithms) so if you have any VPN's using depreciated ciphers these will no longer work. Clientless SSL-VPN has been completely depreciated. You should review your current VPN configuration against the release notes, you may need to reconfigure any current VPNs before the upgrade if using unsupported ciphers.

For more information refer to the ASA planning/upgrade guide. https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html

See as you are using ASA virtual, take a snapshot so you can revert if there is a problem.

Re: ASA Upgrade from 9.10(1) to 9.20(3) on ASAv – Best Practices

Zaza1 — Thu, 24 Jul 2025 08:02:47 GMT

@Rob Ingram Thank you for your support!

Could you please confirm which exact crypto ciphers, hashing algorithms, or DH groups have been deprecated or removed in ASA version 9.20?

We would like to cross-check our current VPN (IPSec/IKEv1/IKEv2) configuration to see which tunnels might break after the upgrade.

Is there a complete list or command that shows which ciphers are no longer supported in 9.20?

Thanks in advance!

Re: ASA Upgrade from 9.10(1) to 9.20(3) on ASAv – Best Practices

Rob Ingram — Thu, 24 Jul 2025 08:26:39 GMT

@Zaza1 a quick check of the release notes:- https://www.cisco.com/c/en/us/support/security/adaptive-security-appliance-asa-software/products-release-notes-list.html

Low-Security Cipher Removal in ASA 9.15(1)—Support for the following less secure ciphers used by IKE and IPsec have been removed:

Diffie-Hellman groups: 2 and 24
Encryption algorithms: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256, NULL, ESP-3DES, ESP-DES, ESP-MD5-HMAC
Hash algorithms: MD5

https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html

No support for DH groups 2, 5, and 24 in 9.16(1)—Support has been removed for the DH groups 2, 5, and 24 in SSL DH group configuration. The ssl dh-group command has been updated to remove the command options group2, group5, and group24.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html