cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
281
Views
3
Helpful
3
Replies

ASA OS Upgrade planned: Problems with 2S2-tunnels expected

swscco001
Beginner
Beginner

Hello everybody,

our customer has a Firepower 4110 running ASA OS image 9.16(4)14 with
56 2S2-tunnels configured (configuration attached).

They want to upgrade to the current suggested release 9.18(3) and expect
problems because many of the 2S2-tunnels are IKEv1.

Is there a document that describe the differences between the releases
9.16(4)14 and 9.18(3) regarding 2S2-tunnels?

Or is there a tool that can ckeck the configuration to incompatibilities with
the new release 9.18(3)?

Every hint is very welcome!

Thanks a lot!



Bye
R.

1 Accepted Solution

Accepted Solutions

@swscco001 In 9.13 the older weaker ciphers were depreciated and removed in 9.15. I can also see from your configuration the IKE policies may be called DES, 3DES but actually the configured proposals are AES.

I do note you have PFS group 5 configured which has been depreciated, remove or change this.

You should refer to the release notes for 9.17, 9.18 to determine if anything specific relates to your configuration.

https://www.cisco.com/c/en/us/support/security/adaptive-security-appliance-asa-software/products-release-notes-list.html

 

View solution in original post

3 Replies 3

Only check phase2 proposal different' I think MD5 is weak and remove and some sha 128 is also remove.

Also DH group is different between two ver.

Other feature is same between 9.16 and 9.18 for s2s vpn.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa918/configuration/vpn/asa-918-vpn-config/vpn-ike.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/vpn/asa-916-vpn-config/vpn-site2site.html

I check release notes there is no alot info. About dh group and weak remove form 9.18 

But I share links about vpn s2s for 9.18 and 9.16 in which you can learn more about these points.

@swscco001 In 9.13 the older weaker ciphers were depreciated and removed in 9.15. I can also see from your configuration the IKE policies may be called DES, 3DES but actually the configured proposals are AES.

I do note you have PFS group 5 configured which has been depreciated, remove or change this.

You should refer to the release notes for 9.17, 9.18 to determine if anything specific relates to your configuration.

https://www.cisco.com/c/en/us/support/security/adaptive-security-appliance-asa-software/products-release-notes-list.html

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: