Re: ASA 5516-x Upgrade issue

kyle311 · ‎12-13-2023

So, I just we to perform an update from 9.9.2.85 to 9.16.4 (last one) and it went fine. I was able to VPN in afterwards. However, the L2L tunnels went to MMG2 and would not come back up. I changed the boot order back to .85 and everything went back to normal.

There's also a firewpower module, which I did not touch.

What could be causing this? does the firewpower module need to be upgraded before the ASA code? It just didn't make sense to me why a change of the ASA code would cause this.

Rob Ingram · ‎12-13-2023

@kyle311 what crypto ciphers are your tunnels using? From 9.13 older/weaker crypto ciphers were depreciated and subsequently removed.

kyle311 · ‎12-13-2023

It's IKEv1, AES-128

Rob Ingram · ‎12-13-2023

@kyle311 AES-128 should be fine, but what about DH group, hashing/integrity and PFS if used?

MHM Cisco World · ‎12-13-2023

Hmm' dh group can be issue but I think this value is exchange and responder accept the value set by initiator.

Any way share

Show crypto isakmp sa

Let check it

Please if you can share it for both case before and after upgrading

MHM

kyle311 · ‎12-13-2023

DH2 - i'm thinking that could be the issue

Rob Ingram · ‎12-13-2023

@kyle311 yes, as I already mentioned there were changes from ASA 9.13.

In 9.13(1), Diffie-Hellman Group 14 is now the default for the group command under crypto ikev1 policy , ssl dh-group , and crypto ikev2 policy for IPsec PFS using crypto map set pfs , crypto ipsec profile , crypto dynamic-map set pfs , and crypto map set ikev1 phase1-mode . The former default Diffie-Hellman group was Group 2.

MHM Cisco World · ‎12-13-2023

Dh2 not more use in 9.16

Change it to 14 (defualt)

MHM

MHM Cisco World · ‎12-13-2023

Note' I called this issue silent vpn issue' the command accept and there is no log but in end it make vpn not work.

MHM