Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1320
Views
1
Helpful
4
Replies

Can i upgrade Ace 4710 from A4(2.3) to A5(3.3) or A5(3.5)

MaznikuKlo
Level 1
Level 1

‎12-01-2016 08:18 AM

Hello,

Can I upgrade directly from A4(2.3) to A5(3.3) or A5(3.5) ?

I read to cisco relase note that :From  Software Version A5(3.1b) ACE will no longer support SSLv3 version of SSL. ACE will support the following SSL versions TLS1.0, TLS1.1, and TLS1.2.

What configuration I need to do in version A5(3.3) or A5(3.5) for SSL issue?

Waiting for your feedback.

Thanks

Klodian

Labels:
0 Helpful
4 Replies 4

Aleksey Pan
Cisco Employee
Cisco Employee

‎12-06-2016 12:08 PM

Hi Klodian,

Yes, you can upgrade it directly from A4.

- Not exactly sure, what did you mean by "configuration you need to do"...

- If you need it to support SSL v3:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_3_x/release/note/ACE_mod_rn_A53x.html

New CLI Commands

The following new commands have been added to support TLS1.1 and TLS1.2:

switch/Admin(config)# parameter-map type ssl test
switch/Admin(config-parammap-ssl)# version ?
all All SSL versions upto TLS Version 1
SSL3 SSL Version 3
TLS1 TLS Version 1
TLS1_1 TLS Version 1.1
TLS1_2 TLS Version 1.2
Upto_TLS1_1 All SSL versions upto TLS Version 1.1
Upto_TLS1_2 All SSL versions upto TLS Version 1.2
switch/Admin(config-parammap-ssl)# version TLS1_1
switch/Admin(config-parammap-ssl)# version TLS1_2
switch/Admin(config-parammap-ssl)# version Upto_TLS1_1
switch/Admin(config-parammap-ssl)# version Upto_TLS1_2
 
== Attach the map in the corresponding ssl-proxy service
 
Switch/Admin(config)# ssl-proxy service test
switch/Admin(config-ssl-proxy)# ssl advanced-options test
 

Note The configuration version Upto_TLS1_1 indicates that ACE supports SSL3.0, TLS1.0 and TLS1.1 versions.

Note The configuration version Upto_TLS1_2 indicates that ACE supports SSL3.0, TLS1.0, TLS1.1 and TLS1.2 versions.

Hope this helps!

Regards,

Alex.

0 Helpful

MaznikuKlo
Level 1
Level 1
In response to Aleksey Pan

‎12-07-2016 01:41 AM

Hello Alex,

From Release Note A5(3.x) I see that SSLv3 supported until version A5(3.1a).

My current configuration in version A4(2.3) is (the config is version all - support all SSL versions upto TLS Version 1):

parameter-map type ssl PARAM_SSL
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
close-protocol disabled

version all

!

ssl-proxy service CTXWEB
 ssl advanced-options PARAM_SSL

 

!

probe https IDP-PROD-UST_8021-CHECK
description PROBE for UST IDP PROD
port 8021
interval 15
passdetect interval 60
ssl version all
request method get url /idp/status
open 1
expect regex "200 OK"

1) If I upgrade to version A5(3.5) the command

 switch/Admin(config-parammap-ssl)# version all

does exist?

2) If I upgrade to version A5(3.5) i need to do only this change(blue color) including the probe config?

switch/Admin(config)#parameter-map type ssl PARAM_SSL

switch/Admin(config-parammap-ssl)# version Upto_TLS1_2

!

ssl-proxy service CTXWEB
 ssl advanced-options PARAM_SSL

 

!

probe https IDP-PROD-UST_8021-CHECK
description PROBE for UST IDP PROD
port 8021
interval 15
passdetect interval 60
ssl version Upto_TLS1_2
request method get url /idp/status
open 1
expect regex "200 OK"

3) I have to many probe configuration i need to go everyone to change the config ?

from:

   ssl version all

to:

  ssl version Upto_TLS1_2

Waiting for your feedback.

Thanks

Klodian

0 Helpful

Aleksey Pan
Cisco Employee
Cisco Employee
In response to MaznikuKlo

‎12-07-2016 09:21 AM

Hi Klodian,

-Yes, that is correct, From Release Note A5(3.x) SSLv3 is supported until version A5(3.1a).

1) If I upgrade to version A5(3.5) the command

 switch/Admin(config-parammap-ssl)# version all

does exist?

- Yes, it still exist ( but SSLv3 is not supported in this release)

2) If I upgrade to version A5(3.5) i need to do only this change(blue color) including the probe config?

switch/Admin(config)#parameter-map type ssl PARAM_SSL

switch/Admin(config-parammap-ssl)# version Upto_TLS1_2

- Yes , it will support TLS 1.0; 1.1; 1.2

3) I have to many probe configuration i need to go everyone to change the config ?

from:

   ssl version all

to:

  ssl version Upto_TLS1_2

- "ssl version all" remains the same , and supports only TLS 1.0  1.1 and 1.2

If you are going to move to A5 3.1b and higher, you need to move your apps from SSLv3.

- If you definitely need SSLv3, then you have to stay at A5 3.1a or lower

Best Regards,

Alex.

MaznikuKlo
Level 1
Level 1
In response to Aleksey Pan

‎12-09-2016 12:06 AM

Hello Alex,

I have planned the maintenance window for the end of December.

I would let you know after upgrade.

Thanks for your feedback.

Best Regards,

Klodian

0 Helpful
Customers Also Viewed These Support Documents