UPGRADING CISCO ACE 4710 TO SUPPORT TLS 1.1 & 1.2

usman ali dar · ‎08-17-2015

Hello all,

we are currently running 2x Cisco ace 4710 in active & standby mode. i am trying to upgrade them due to no support of TLS 1.1 & 1.2 Version.

i tried to search the authentic way to upgrade them to correct version and procedure which could help me to have no downtime like upgrading the standby first and then make it active by switching over all the connection states , finally upgrade the old one.

can you help me please finalizing the correct latest IOS for ace and procedure step by step

ACE 4710 Version A5(2.1e) [build 3.0(0)A5(2.1e)

Regards

Kanwaljeet Singh · ‎08-17-2015

Hi Usman,

First of all it is strongly recommended to do upgrade in a MW. You can follow the below steps to upgrade seamlessly.

1. Upgrade the stand by module first. Ensure that standby is in standby_hot .
2. Once reloaded, switchover to the standby and verify all services working correctly.
3.Upgrade the new stand by module.
4. Eventually switch over again to restore the active box as per the original configuration.

Or

1. Upgrade ACTIVE module. Reload should switchover to standby. Verify everything is working fine.

2. Upgrade standby which is now ACTIVE. Reload should switchover back to original active.

Please note that not every type of connection is synced between active and standby and if you have that traffic, there would be some impact during the switchover but with MW in place you should be fine.

Both the procedures should upgrade without any downtime.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

TIM JUDGE · ‎09-20-2015

When we perform upgrades in a maintenance window, we move all active contexts over to one ACE so the first ACE we upgrade has no active contexts.

Then upload your new code A5(3.3) to the image directory (copy tftp://10.1.1.1/c4710ace-t1k9-mz.A5_3_3.bin image:) and update the boot variable in the Admin context

Restart that ACE and then wait for it to come back up and stabilise.

You can run "show ft group status" in the admin context to see the status of the contexts. Once the upgraded ACE has finished booting, it should be in cold standby state.

Next, move your active contexts to the newly upgraded ACE so they are active on it and run "show ft group status". Test your websites as this may have an impact - the sessions will be affected (especially sticky ones) as the two ACEs will have different software versions.

Repeat the process on the other ACE.

Now, please beware that Cisco changed the default behaviours of some settings between A5(2.1e) and the newest versions.

So you might have to add the following to your parameter map depending on your website's use of non standard characters

parameter-map type http <NAME>
parsing non-strict

See this http://www.cisco.com/c/en/us/support/docs/interfaces-modules/ace-application-control-engine-module/116328-probsol-ace-00.html

You might even need to add "length-exceed continue" to the parameter map.

Then, make sure your SSL parameter map for SSL termination is updated to support the best ciphers and TLS 1.1 & TLS 1.2. Configure your SSL parameter map with the following if you haven't done so already:

cipher RSA_WITH_3DES_EDE_CBC_SHA priority 2

cipher RSA_WITH_AES_128_CBC_SHA priority 3

cipher RSA_WITH_AES_256_CBC_SHA priority 4

cipher RSA_WITH_AES_128_CBC_SHA256 priority 5

session-cache timeout 600

version Upto_TLS1_2

All the best.