cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
996
Views
0
Helpful
5
Replies

Downgrading IOS on ASA?

mx
Level 1
Level 1

Hi everyone. I need to downgrade the IOS from 8.0.4 to 7.2.4 on a 5510 due to VPN issues with a non cisco device. no problem, the downgrade went fine. Upon reboot, it read the config and said that a couple hundred lines were invalid (see below). Is there a proper procedure for doing this or some kind of conversion tool?

Thanks

Bob

*** Output from config line 4, "ASA Version 8.0(4) "

...

dynamic-access-policy-record DfltAccessPolicy

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 154, "dynamic-access-policy-re..."

..

vpn-addr-assign local reuse-delay 5

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 236, "vpn-addr-assign local re..."

threat-detection basic-threat

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 249, "threat-detection basic-t..."

threat-detection statistics port

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 250, "threat-detection statist..."

5 Replies 5

suschoud
Cisco Employee
Cisco Employee

hi,

these config. errors are ok.

the command format is a lot different in between these codes.

these are startup config. errors and in no wat affect the actual working of f/w.

there is no conversion tool which could convert asa's configuration in between the codes.

there is one to convert checkpoint's config. to asa's though.

hTh

Sushil

TAC

Hi Sushil. thanks for the reply. There are pages and pages of them, including tunnel group errors etc. You mean that it will still work?!?!

suschoud
Cisco Employee
Cisco Employee

Yes,I never saw someone loose vpn or internet by downgrade.If there are pages of these invalid commands,you must have lot of vpn commands in there.

srue
Level 7
Level 7

those errors involved features that are present in 8.x but not 7.2 and earlier. Unless you were using those features, I wouldn't worry about it. If you saved the new config to memory, the next time the firewall reboots you wont get these errors.

On reboot Im still getting the errors. Some of them look pretty critical to the tunnels:

tunnel-group Healthpac general-attributes

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 332, "tunnel-group Healthpac g..."

address-pool Healthpac

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 333, " address-pool Healthpac"

default-group-policy Healthpac

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 334, " default-group-policy He..."

tunnel-group Healthpac ipsec-attributes

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 335, "tunnel-group Healthpac i..."

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: