cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Can i upgrade Ace 4710 from A4(2.3) to A5(3.3) or A5(3.5)

MaznikuKlo
Beginner
Beginner

Hello,

Can I upgrade directly from A4(2.3) to A5(3.3) or A5(3.5) ?

I read to cisco relase note that :From  Software Version A5(3.1b) ACE will no longer support SSLv3 version of SSL. ACE will support the following SSL versions TLS1.0, TLS1.1, and TLS1.2.

What configuration I need to do in version A5(3.3) or A5(3.5) for SSL issue?

Waiting for your feedback.

Thanks

Klodian

4 REPLIES 4

Aleksey Pan
Cisco Employee
Cisco Employee

Hi Klodian,

Yes, you can upgrade it directly from A4.

- Not exactly sure, what did you mean by "configuration you need to do"...

- If you need it to support SSL v3:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_3_x/release/note/ACE_mod_rn_A53x.html

New CLI Commands

The following new commands have been added to support TLS1.1 and TLS1.2:

switch/Admin(config)# parameter-map type ssl test
switch/Admin(config-parammap-ssl)# version ?
all All SSL versions upto TLS Version 1
SSL3 SSL Version 3
TLS1 TLS Version 1
TLS1_1 TLS Version 1.1
TLS1_2 TLS Version 1.2
Upto_TLS1_1 All SSL versions upto TLS Version 1.1
Upto_TLS1_2 All SSL versions upto TLS Version 1.2
switch/Admin(config-parammap-ssl)# version TLS1_1
switch/Admin(config-parammap-ssl)# version TLS1_2
switch/Admin(config-parammap-ssl)# version Upto_TLS1_1
switch/Admin(config-parammap-ssl)# version Upto_TLS1_2
 
== Attach the map in the corresponding ssl-proxy service
 
Switch/Admin(config)# ssl-proxy service test
switch/Admin(config-ssl-proxy)# ssl advanced-options test
 

Note The configuration version Upto_TLS1_1 indicates that ACE supports SSL3.0, TLS1.0 and TLS1.1 versions.

Note The configuration version Upto_TLS1_2 indicates that ACE supports SSL3.0, TLS1.0, TLS1.1 and TLS1.2 versions.

Hope this helps!

Regards,

Alex.

Hello Alex,

From Release Note A5(3.x) I see that SSLv3 supported until version A5(3.1a).

My current configuration in version A4(2.3) is (the config is version all - support all SSL versions upto TLS Version 1):

parameter-map type ssl PARAM_SSL
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
close-protocol disabled

version all

!

ssl-proxy service CTXWEB
 ssl advanced-options PARAM_SSL

 

!

probe https IDP-PROD-UST_8021-CHECK
description PROBE for UST IDP PROD
port 8021
interval 15
passdetect interval 60
ssl version all
request method get url /idp/status
open 1
expect regex "200 OK"

1) If I upgrade to version A5(3.5) the command

 switch/Admin(config-parammap-ssl)# version all

does exist?

2) If I upgrade to version A5(3.5) i need to do only this change(blue color) including the probe config?

switch/Admin(config)#parameter-map type ssl PARAM_SSL

switch/Admin(config-parammap-ssl)# version Upto_TLS1_2

!

ssl-proxy service CTXWEB
 ssl advanced-options PARAM_SSL

 

!

probe https IDP-PROD-UST_8021-CHECK
description PROBE for UST IDP PROD
port 8021
interval 15
passdetect interval 60
ssl version Upto_TLS1_2
request method get url /idp/status
open 1
expect regex "200 OK"

3) I have to many probe configuration i need to go everyone to change the config ?

from:

   ssl version all

to:

  ssl version Upto_TLS1_2

Waiting for your feedback.

Thanks

Klodian

Hi Klodian,

-Yes, that is correct, From Release Note A5(3.x) SSLv3 is supported until version A5(3.1a).

1) If I upgrade to version A5(3.5) the command

 switch/Admin(config-parammap-ssl)# version all

does exist?

- Yes, it still exist ( but SSLv3 is not supported in this release)

2) If I upgrade to version A5(3.5) i need to do only this change(blue color) including the probe config?

switch/Admin(config)#parameter-map type ssl PARAM_SSL

switch/Admin(config-parammap-ssl)# version Upto_TLS1_2

- Yes , it will support TLS 1.0; 1.1; 1.2

3) I have to many probe configuration i need to go everyone to change the config ?

from:

   ssl version all

to:

  ssl version Upto_TLS1_2

- "ssl version all" remains the same , and supports only TLS 1.0  1.1 and 1.2

If you are going to move to A5 3.1b and higher, you need to move your apps from SSLv3.

- If you definitely need SSLv3, then you have to stay at A5 3.1a or lower

Best Regards,

Alex.

Hello Alex,

I have planned the maintenance window for the end of December.

I would let you know after upgrade.

Thanks for your feedback.

Best Regards,

Klodian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: