cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
2
Helpful
8
Replies

ASA 5516-x Upgrade issue

kyle311
Level 1
Level 1

So, I just we to perform an update from 9.9.2.85 to 9.16.4 (last one) and it went fine.  I was able to VPN in afterwards.  However, the L2L tunnels went to MMG2 and would not come back up.  I changed the boot order back to .85 and everything went back to normal.  

There's also a firewpower module, which I did not touch.  

What could be causing this? does the firewpower module need to be upgraded before the ASA code?  It just didn't make sense to me why a change of the ASA code would cause this.

8 Replies 8

@kyle311 what crypto ciphers are your tunnels using? From 9.13 older/weaker crypto ciphers were depreciated and subsequently removed.

kyle311
Level 1
Level 1

It's IKEv1, AES-128

@kyle311 AES-128 should be fine, but what about DH group, hashing/integrity and PFS if used?

Hmm' dh group can be issue but I think this value is exchange and responder accept the value set by initiator.

Any way share 

Show crypto isakmp sa 

Let check it

Please if you can share it for both case before and after upgrading 

MHM

kyle311
Level 1
Level 1

DH2 - i'm thinking that could be the issue

@kyle311 yes, as I already mentioned there were changes from ASA 9.13.

RobIngram_0-1702484726873.png

In 9.13(1), Diffie-Hellman Group 14 is now the default for the group command under crypto ikev1 policy , ssl dh-group , and crypto ikev2 policy for IPsec PFS using crypto map set pfs , crypto ipsec profile , crypto dynamic-map set pfs , and crypto map set ikev1 phase1-mode . The former default Diffie-Hellman group was Group 2.

Dh2 not more use in 9.16

Change it to 14 (defualt)

MHM

Note' I called this issue silent vpn issue' the command accept and there is no log but in end it make vpn not work.

MHM

Review Cisco Networking for a $25 gift card