Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
3
Helpful
3
Replies

ASA OS Upgrade planned: Problems with 2S2-tunnels expected

Go to solution
swscco001
Level 3
Level 3

‎10-13-2023 02:49 AM

Hello everybody,

our customer has a Firepower 4110 running ASA OS image 9.16(4)14 with
56 2S2-tunnels configured (configuration attached).

They want to upgrade to the current suggested release 9.18(3) and expect
problems because many of the 2S2-tunnels are IKEv1.

Is there a document that describe the differences between the releases
9.16(4)14 and 9.18(3) regarding 2S2-tunnels?

Or is there a tool that can ckeck the configuration to incompatibilities with
the new release 9.18(3)?

Every hint is very welcome!

Thanks a lot!



Bye
R.

Preview file
189 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-13-2023 03:03 AM

@swscco001 In 9.13 the older weaker ciphers were depreciated and removed in 9.15. I can also see from your configuration the IKE policies may be called DES, 3DES but actually the configured proposals are AES.

I do note you have PFS group 5 configured which has been depreciated, remove or change this.

You should refer to the release notes for 9.17, 9.18 to determine if anything specific relates to your configuration.

https://www.cisco.com/c/en/us/support/security/adaptive-security-appliance-asa-software/products-release-notes-list.html

 

View solution in original post

3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎10-13-2023 02:56 AM

Only check phase2 proposal different' I think MD5 is weak and remove and some sha 128 is also remove.

Also DH group is different between two ver.

Other feature is same between 9.16 and 9.18 for s2s vpn.

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎10-13-2023 03:10 AM

https://www.cisco.com/c/en/us/td/docs/security/asa/asa918/configuration/vpn/asa-918-vpn-config/vpn-ike.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/vpn/asa-916-vpn-config/vpn-site2site.html

I check release notes there is no alot info. About dh group and weak remove form 9.18 

But I share links about vpn s2s for 9.18 and 9.16 in which you can learn more about these points.

Go to solution
Rob Ingram
VIP
VIP

‎10-13-2023 03:03 AM

@swscco001 In 9.13 the older weaker ciphers were depreciated and removed in 9.15. I can also see from your configuration the IKE policies may be called DES, 3DES but actually the configured proposals are AES.

I do note you have PFS group 5 configured which has been depreciated, remove or change this.

You should refer to the release notes for 9.17, 9.18 to determine if anything specific relates to your configuration.

https://www.cisco.com/c/en/us/support/security/adaptive-security-appliance-asa-software/products-release-notes-list.html

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card