Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
970
Views
1
Helpful
5
Replies

Cipher Related Issues

Go to solution
edwinjosey
Level 1
Level 1

‎08-24-2023 10:21 AM

Hi,

This is my first post on this forum. Actually, I'm having trouble upgrading to the latest Cisco firmware in a site-to-site VPN.
The ciphers used in the current version do not work in the upgraded version, so I want to know which ciphers will work and which will be deprecated or eliminated in the newer version before patching it to the new version. Otherwise, the vpn tunnel will go down after patching, so please direct me to where I can find all the details about this.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-24-2023 10:28 AM

@edwinjosey the weak ciphers were depreciated from 9.13 and removed in subsequent releases and are detailed in the release notes https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html

RobIngram_0-1692898042464.png

 

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎08-24-2023 10:28 AM

@edwinjosey the weak ciphers were depreciated from 9.13 and removed in subsequent releases and are detailed in the release notes https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html

RobIngram_0-1692898042464.png

 

Go to solution
edwinjosey
Level 1
Level 1

‎08-24-2023 02:33 PM

Thank you, Rob; your assistance was really appreciated. But I have a few more questions. If ciphers are deprecated in a newer version and we are utilizing that cipher in our present setup, we must modify it before patching. How to choose the appropriate security cipher to use for Firewalls in order to replace the previous deprecated one.                                                               For Example: Model: Cisco ASA 5525x
Current Version: 9.8(4)29
Recommended Version: 9.16(4)14

ssh key-exchange group dh-group1-sha1 will change to ssh key-exchange group group14-sha1 automatically by updating to version 9.16.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to edwinjosey

‎08-25-2023 12:12 AM

@edwinjosey in regard to VPN ciphers, you should be fine using AES (GCM or CBC), SHA (2 preferred), DH group 19, 20 or 21. You should change the VPN configuration before migration to avoid post upgrade issues.

Cisco Next Generation Encryption recommendations - https://sec.cloudapps.cisco.com/security/center/resources/next_generation_cryptography

 

0 Helpful

Go to solution
edwinjosey
Level 1
Level 1
In response to Rob Ingram

‎08-31-2023 09:05 AM - edited ‎08-31-2023 09:09 AM

Dear Rob,

Thank you for your help. But in my scenario some of the deprecated ciphers are not mentioned in your link. so leaving you with my current details of my firewall.

Match Found: crypto map outside_map0 3 set pfs group5 at line 2258

Match With: group5

Match Found: crypto map outside_map0 3 set pfs group5 at line 2258

Match With: set pfs group5

Match Found: crypto ikev2 policy 2 at line 2316

Match With: crypto ikev2 policy

Match Found: group 5 at line 2319

Match With: group 5

Match Found: crypto ikev1 policy 10 at line 2324

Match With: crypto ikev1 policy

Match Found: group 2 at line 2328

Match With: group 2

Match Found: crypto ikev1 policy 20 at line 2330

Match With: crypto ikev1 policy

Match Found: group 2 at line 2334

Match With: group 2

Match Found: crypto ikev1 policy 40 at line 2336

Match With: crypto ikev1 policy

Match Found: group 2 at line 2340

Match With: group 2

Match Found: crypto ikev1 policy 50 at line 2342

Match With: crypto ikev1 policy

Match Found: group 2 at line 2346

Match With: group 2

Match Found: crypto ikev1 policy 70 at line 2348

Match With: crypto ikev1 policy

Match Found: group 2 at line 2352

Match With: group 2

Match Found: crypto ikev1 policy 80 at line 2354

Match With: crypto ikev1 policy

Match Found: group 2 at line 2358

Match With: group 2

Match Found: crypto ikev1 policy 100 at line 2360

Match With: crypto ikev1 policy

Match Found: encryption 3des at line 2362

Match With: encryption 3des

Match Found: group 2 at line 2364

Match With: group 2

Match Found: crypto ikev1 policy 110 at line 2366

Match With: crypto ikev1 policy

Match Found: encryption 3des at line 2368

Match With: encryption 3des

Match Found: group 2 at line 2370

Match With: group 2

Match Found: crypto ikev1 policy 130 at line 2372

Match With: crypto ikev1 policy

Match Found: encryption des at line 2374

Match With: encryption des

Match Found: group 2 at line 2376

Match With: group 2

Match Found: crypto ikev1 policy 140 at line 2378

Match With: crypto ikev1 policy

Match Found: encryption des at line 2380

Match With: encryption des

Match Found: group 2 at line 2382

Match With: group 2

Match Found: ssh key-exchange group dh-group1-sha1 at line 2399

Match With: ssh key-exchange group dh-group1-sha1

 

All the above mentioned ciphers are going to deprecated when it is upgraded to the recommended version which is given below and I have to find out what, either the best security cipher to use for the one being removed, or find an alternative command to be used for the one being removed.

Model: Cisco ASAv10

Current Version: 9.8(4)29

Recommended Version: 9.16(3)19

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to edwinjosey

‎08-31-2023 09:16 AM

@edwinjosey you can find the supported crypto ciphers for ASA 9.16 - https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/vpn/asa-916-vpn-config/vpn-ike.html#ID-2441-00000116

You can replace your DH group 2/5 with 14, 15, 16, 19, 20 or 21 and replace DES/3DES with AES (128 or 256) which is supported with 9.16.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card