08-05-2009 12:42 PM - edited 03-11-2019 09:03 AM
Hi everyone. I need to downgrade the IOS from 8.0.4 to 7.2.4 on a 5510 due to VPN issues with a non cisco device. no problem, the downgrade went fine. Upon reboot, it read the config and said that a couple hundred lines were invalid (see below). Is there a proper procedure for doing this or some kind of conversion tool?
Thanks
Bob
*** Output from config line 4, "ASA Version 8.0(4) "
...
dynamic-access-policy-record DfltAccessPolicy
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 154, "dynamic-access-policy-re..."
..
vpn-addr-assign local reuse-delay 5
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 236, "vpn-addr-assign local re..."
threat-detection basic-threat
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 249, "threat-detection basic-t..."
threat-detection statistics port
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 250, "threat-detection statist..."
08-05-2009 12:46 PM
hi,
these config. errors are ok.
the command format is a lot different in between these codes.
these are startup config. errors and in no wat affect the actual working of f/w.
there is no conversion tool which could convert asa's configuration in between the codes.
there is one to convert checkpoint's config. to asa's though.
hTh
Sushil
TAC
08-05-2009 12:47 PM
Hi Sushil. thanks for the reply. There are pages and pages of them, including tunnel group errors etc. You mean that it will still work?!?!
08-05-2009 12:50 PM
Yes,I never saw someone loose vpn or internet by downgrade.If there are pages of these invalid commands,you must have lot of vpn commands in there.
08-05-2009 12:47 PM
those errors involved features that are present in 8.x but not 7.2 and earlier. Unless you were using those features, I wouldn't worry about it. If you saved the new config to memory, the next time the firewall reboots you wont get these errors.
08-05-2009 01:10 PM
On reboot Im still getting the errors. Some of them look pretty critical to the tunnels:
tunnel-group Healthpac general-attributes
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 332, "tunnel-group Healthpac g..."
address-pool Healthpac
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 333, " address-pool Healthpac"
default-group-policy Healthpac
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 334, " default-group-policy He..."
tunnel-group Healthpac ipsec-attributes
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 335, "tunnel-group Healthpac i..."
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: