Solved: Re: 9.4.x > 9.8.4.20 ASA Upgrade

johnlloyd_13 · ‎05-12-2020

hi,

due to the recent ASA CVE alert, i need to do an upgrade 9.4 > 9.8.

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-73830

just want to confirm that i can upgrade directly 9.4 > 9.8 as per link below:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#ID-2152-0000000a

also, what's a "decent" and stable anyconnect VPN image to run on ASA 9.8 code? anyconnect 4.7. or 4.8?

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#id_64185

is this the right image to put in the ASA flash?

anyconnect-win-4.x.03052-webdeploy-k9.pkg

Marvin Rhoads · ‎05-12-2020

I'd recommend going to 9.12(3)12 as opposed to 9.8(4)20. Both are the current Gold Star releases; but 9.12x will be more long-lived. It also supports DTLS 1.2 with the latest AnyConnect. You can upgrade directly in either case.

https://software.cisco.com/download/home/284143129/type/280775065/release/9.12.3%20Interim

The recommended AnyConnect release is the latest one - currently 4.8.03052.

https://software.cisco.com/download/home/286281283/type/282364313/release/4.8.03052

View solution in original post

Marvin Rhoads · ‎05-12-2020

Yes that will suffice to remove the sfr module from the data path and shut it down.

Yes that predeploy zip includes all of the AnyConnect modules. Unzip it and run setup.exe and select the module(s) you want to install. Any profiles you have would need to be downloaded/installed separately.

View solution in original post

Marvin Rhoads · ‎05-12-2020

I'd recommend going to 9.12(3)12 as opposed to 9.8(4)20. Both are the current Gold Star releases; but 9.12x will be more long-lived. It also supports DTLS 1.2 with the latest AnyConnect. You can upgrade directly in either case.

https://software.cisco.com/download/home/284143129/type/280775065/release/9.12.3%20Interim

The recommended AnyConnect release is the latest one - currently 4.8.03052.

https://software.cisco.com/download/home/286281283/type/282364313/release/4.8.03052

johnlloyd_13 · ‎05-12-2020

hi marvin,

thanks for this info!

is this the right anyconnect image to upload/use? we only have windows machines.

anyconnect-win-4.8.03052-webdeploy-k9.pkg

Marvin Rhoads · ‎05-12-2020

You're welcome.

Yes - that's the correct AnyConnect image for deployment from the ASA.

johnlloyd_13 · ‎05-12-2020

hi marvin,

one last thing, we'll disable FP module inspection.

do i remove the policy inspection and shutdown the SFR module?

policy-map global_policy

no class SFR

sw-module module sfr shutdown

what is the standalone or full suite of anyconnect 4.8? would need this to pre-install anyconnect client instead of connecting to the VPN and download the client.

anyconnect-win-4.8.03052-predeploy-k9.zip

Marvin Rhoads · ‎05-12-2020

Yes that will suffice to remove the sfr module from the data path and shut it down.

Yes that predeploy zip includes all of the AnyConnect modules. Unzip it and run setup.exe and select the module(s) you want to install. Any profiles you have would need to be downloaded/installed separately.

johnlloyd_13 · ‎05-25-2020

hi marvin,

i managed to get my ASA FWs upgraded 9.4 > 9.8 but got some hiccups with the anyconnect 4.8 update, wherein registry files needed to deleted and some old win7 users not able to successfully update their client.

i got an ASA FW that will be doing a minor upgrade since it's already on the 9.8 train. this FW already has anyconnect windows 4.1 image on it. my guess is that it's being used since i saw a counter/increment on 'sh vpn-sessiondb summary' output.

my question is, can i re-use this anyconnect windows 4.1 image with the 9.8 upgrade instead of anyconnect 4.8? i just want to avoid any windows problem with registry getting corrupted/errors.

Marvin Rhoads · ‎05-25-2020

Yes you can separate the upgrades.

The AnyConnect 4.1 image will work OK with the latest ASA software. It may not work OK with the newest clients (e.g Windows 10, MacOS 10.15 Catalina etc.).