topic IKE vulnerability patch/fix release and image upgrade path in Network Security

IKE vulnerability patch/fix release and image upgrade path

johnlloyd_13 — Tue, 12 Mar 2019 07:33:33 GMT

hi,

due to this IKE vulnerability, i was asked to upgrade our ASAs:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

can someone concur the upgrade path?

also there's no major changes in config (i.e. NAT/ACL)?

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116685-problemsolution-product-00.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-769104

Current Version	Fixed Release	Upgrade path
8.2(2)	8.2(5.59)
8.3(2)	8.4(7.30)	8.3.2 > 8.4.6 > 8.4.7
8.6(1)2	9.1(6.11)	8.6.1 > 9.0.2 > 9.1.6
9.1(2)	9.2(4)8
9.1(6)4	9.2(4)8
9.1(5)	9.2(4)8
8.3(2)34	8.4(7.30)	8.3.2 > 8.4.6 > 8.4.7
9.2(4)	9.2(4)8

You are late with this

Karsten Iwen — Thu, 31 Mar 2016 07:32:46 GMT

You are late with this upgrade ...

What's your running version?

hi karsten,

johnlloyd_13 — Thu, 31 Mar 2016 08:25:48 GMT

hi karsten,

the first column is what the ASAs are currently running.

the second column is what i'm trying to upgrade to.

Ok, didn't realize that you

Karsten Iwen — Thu, 31 Mar 2016 08:53:13 GMT

Ok, didn't realize that you are running all these versions ... From my experience:

Easy and straight forward:

8.2x -> 8.2(5.59)
9.2x -> 9.2(4)8
9.1x -> 9.2(4)8

Be aware of the arp permit-nonconnected and nat-chnages (proxy-arp and route-lookup) changes:

8.3x -> 8.4(7.30)

An ASA that is capable of 8.6 is also capable of running 9.2, the realease that you approach for most of your upgrades:

8.6(1)2 -> 9.1(6.11)

But it's always good to read the release notes and compare that to your config!

If you are running SSL/TLS-VPNs, I would go for a release >= 9.3 because of TLS1.2 that was introduced there.

hi karsten,

johnlloyd_13 — Thu, 31 Mar 2016 09:02:28 GMT

hi karsten,

on 8.3x -> 8.4(7.30), where are the said commands changed? is it on 8.4.6 or on 8.4.7?

as shown in the linked

Karsten Iwen — Thu, 31 Mar 2016 09:23:57 GMT

as shown in the linked command-reference, it's already in 8.4(6).

karsten, thank you sir!

johnlloyd_13 — Thu, 31 Mar 2016 13:52:41 GMT

karsten,

thank you sir!

hi karsten,

johnlloyd_13 — Fri, 01 Apr 2016 03:22:20 GMT

hi karsten,

just another quick one, for the 9.2.4 release, do you go for asa924-8-smp-k8.bin or asa924-5-smp-k8.bin?

I always go for the latest

Karsten Iwen — Fri, 01 Apr 2016 06:28:49 GMT

I always go for the latest interims releases, but there are different opinions on that ...

thanks! i already downloaded

johnlloyd_13 — Fri, 01 Apr 2016 06:40:05 GMT

thanks! i already downloaded the latest interim 9.2.4(8).

hi karsten,

johnlloyd_13 — Tue, 05 Apr 2016 14:01:14 GMT

hi karsten,

i'm currently raising a change window, for this upgrade path: 8.3.2 > 8.4.6 > 8.4.7

if there's a problem with it, can i roll back directly from 8.4.7 down to 8.3.2?

or do i need to follow the path: 8.4.7 > 8.4.6 > 8.3.2?

I never had exactly this

Karsten Iwen — Tue, 05 Apr 2016 17:29:15 GMT

I never had exactly this downgrade, but in similar situations it was just to load the old image with the old config (that you place as backup in flash before the upgrade).