Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1365
Views
15
Helpful
11
Replies

IKE vulnerability patch/fix release and image upgrade path

Go to solution
johnlloyd_13
Level 11
Level 11

‎03-31-2016 12:02 AM - edited ‎03-12-2019 12:33 AM

hi,

due to this IKE vulnerability, i was asked to upgrade our ASAs:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

can someone concur the upgrade path?

also there's no major changes in config (i.e. NAT/ACL)?

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116685-problemsolution-product-00.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-769104

Current Version Fixed Release Upgrade path
8.2(2) 8.2(5.59)
8.3(2) 8.4(7.30)  8.3.2 > 8.4.6 > 8.4.7
8.6(1)2 9.1(6.11) 8.6.1 > 9.0.2 > 9.1.6
9.1(2) 9.2(4)8
9.1(6)4 9.2(4)8
9.1(5) 9.2(4)8
8.3(2)34 8.4(7.30)  8.3.2 > 8.4.6 > 8.4.7
9.2(4) 9.2(4)8
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to johnlloyd_13

‎03-31-2016 01:53 AM

Ok, didn't realize that you are running all these versions ... From my experience:

Easy and straight forward:

      • 8.2x -> 8.2(5.59)
      • 9.2x -> 9.2(4)8
      • 9.1x -> 9.2(4)8

Be aware of the arp permit-nonconnected and nat-chnages (proxy-arp and route-lookup) changes:

      • 8.3x -> 8.4(7.30) 

An ASA that is capable of 8.6 is also capable of running 9.2, the realease that you approach for most of your upgrades:

      • 8.6(1)2 -> 9.1(6.11)

But it's always good to read the release notes and compare that to your config!

If you are running SSL/TLS-VPNs, I would go for a release >= 9.3 because of TLS1.2 that was introduced there.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Karsten Iwen
VIP
VIP

‎03-31-2016 12:32 AM

You are late with this upgrade ...

What's your running version?

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
johnlloyd_13
Level 11
Level 11
In response to Karsten Iwen

‎03-31-2016 01:25 AM

hi karsten,

the first column is what the ASAs are currently running.

the second column is what i'm trying to upgrade to.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to johnlloyd_13

‎03-31-2016 01:53 AM

Ok, didn't realize that you are running all these versions ... From my experience:

Easy and straight forward:

      • 8.2x -> 8.2(5.59)
      • 9.2x -> 9.2(4)8
      • 9.1x -> 9.2(4)8

Be aware of the arp permit-nonconnected and nat-chnages (proxy-arp and route-lookup) changes:

      • 8.3x -> 8.4(7.30) 

An ASA that is capable of 8.6 is also capable of running 9.2, the realease that you approach for most of your upgrades:

      • 8.6(1)2 -> 9.1(6.11)

But it's always good to read the release notes and compare that to your config!

If you are running SSL/TLS-VPNs, I would go for a release >= 9.3 because of TLS1.2 that was introduced there.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
johnlloyd_13
Level 11
Level 11
In response to Karsten Iwen

‎03-31-2016 02:02 AM

hi karsten,

on 8.3x -> 8.4(7.30), where are the said commands changed? is it on 8.4.6 or on 8.4.7?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to johnlloyd_13

‎03-31-2016 02:23 AM

as shown in the linked command-reference, it's already in 8.4(6).

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
johnlloyd_13
Level 11
Level 11
In response to Karsten Iwen

‎03-31-2016 06:52 AM

karsten,

thank you sir!

0 Helpful

Go to solution
johnlloyd_13
Level 11
Level 11
In response to Karsten Iwen

‎03-31-2016 08:22 PM

hi karsten,

just another quick one, for the 9.2.4 release, do you go for asa924-8-smp-k8.bin or asa924-5-smp-k8.bin?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to johnlloyd_13

‎03-31-2016 11:28 PM

I always go for the latest interims releases, but there are different opinions on that ...

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
johnlloyd_13
Level 11
Level 11
In response to Karsten Iwen

‎03-31-2016 11:40 PM

thanks! i already downloaded the latest interim 9.2.4(8).

0 Helpful

Go to solution
johnlloyd_13
Level 11
Level 11
In response to Karsten Iwen

‎04-05-2016 07:01 AM

hi karsten,

i'm currently raising a change window, for this upgrade path: 8.3.2 > 8.4.6 > 8.4.7

if there's a problem with it, can i roll back directly from 8.4.7 down to 8.3.2?

or do i need to follow the path: 8.4.7 > 8.4.6 > 8.3.2?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to johnlloyd_13

‎04-05-2016 10:29 AM

I never had exactly this downgrade, but in similar situations it was just to load the old image with the old config (that you place as backup in flash before the upgrade).

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card