08-21-2023 01:55 PM - edited 08-23-2023 03:14 AM
Hello ASA Gurus,
I have an ASA 5516 running 9.9 and I m planning to upgrade to 9.16 (the latest supported version)
This ASA is used as a main VPN concentrator,
S2S VPNs are kind of mix, Ikev1 with old encryption ciphers, and others with Ikev2 with strong/recommended cipher,
I walked through version guidelines, and some mentioned that some ciphers are deprecated, so the first thing that I m thinking about is if I shoot for an upgrade to 9.16, am I going to break the working VPNs that I have?
Thanks,
Solved! Go to Solution.
08-21-2023 08:01 PM
@AirSail most likely they will go down. This is explained explicitly in the link provided by @Marius Gunnerud :
"
Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:
The command will use the default cipher.
The command will be removed.
"
08-21-2023 10:34 PM
This depends on how your S2S VPNs are configured, and which is why I said review your configuration. If you do have any configuration that references those that are removed in the list for 9.15 your S2S VPNs will most likely stop working.
08-21-2023 03:44 PM
I would suggest reviewing your vpn configuration and correct any deprecated / removed sytanx. check the 9.15 removed encryption ciphers in this link: https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#reference_rql_v5v_wpb
08-21-2023 03:47 PM
So you think if I upgrade to 9.16 without updating my S2S parameters for sure the affected VPNs will go down?
08-21-2023 08:01 PM
@AirSail most likely they will go down. This is explained explicitly in the link provided by @Marius Gunnerud :
"
Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:
The command will use the default cipher.
The command will be removed.
"
08-21-2023 10:34 PM
This depends on how your S2S VPNs are configured, and which is why I said review your configuration. If you do have any configuration that references those that are removed in the list for 9.15 your S2S VPNs will most likely stop working.
09-04-2023 10:58 AM
@Marvin Rhoads I started the checks, and it takes a bunch of time, is there any automated tool from Cisco where I can insert the running config so it can verify and flag what's been deleted/deprecated?
09-05-2023 05:25 AM
@AirSail, not as far as I know.
You could spin up an ASAv and load the current running-config from your live ASA into it. The console log will show you any errors the command parser encounters.
04-27-2024 04:27 AM
Hello Marvin,
It's an old conversation but that topic prompted me, I m running now into another use case with the same thing,
I want to try now the ASAv(EVENG) method to insert my config and look at the logs,
should I perform a tftp configuration restore? a console prompt will show up with a sort of summary of what it s need to be updated ?
what is the best way, process to do it ?
04-28-2024 02:38 AM
Yes - copy whatever config you want to analyze into startup-config and then reload the ASAv while capturing console output.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide