Solved: IKE vulnerability patch/fix release and image upgrade path

johnlloyd_13 · ‎03-31-2016

hi,

due to this IKE vulnerability, i was asked to upgrade our ASAs:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

can someone concur the upgrade path?

also there's no major changes in config (i.e. NAT/ACL)?

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116685-problemsolution-product-00.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-769104

Current Version	Fixed Release	Upgrade path
8.2(2)	8.2(5.59)
8.3(2)	8.4(7.30)	8.3.2 > 8.4.6 > 8.4.7
8.6(1)2	9.1(6.11)	8.6.1 > 9.0.2 > 9.1.6
9.1(2)	9.2(4)8
9.1(6)4	9.2(4)8
9.1(5)	9.2(4)8
8.3(2)34	8.4(7.30)	8.3.2 > 8.4.6 > 8.4.7
9.2(4)	9.2(4)8

Karsten Iwen · ‎03-31-2016

Ok, didn't realize that you are running all these versions ... From my experience:

Easy and straight forward:

8.2x -> 8.2(5.59)
9.2x -> 9.2(4)8
9.1x -> 9.2(4)8

Be aware of the arp permit-nonconnected and nat-chnages (proxy-arp and route-lookup) changes:

8.3x -> 8.4(7.30)

An ASA that is capable of 8.6 is also capable of running 9.2, the realease that you approach for most of your upgrades:

8.6(1)2 -> 9.1(6.11)

But it's always good to read the release notes and compare that to your config!

If you are running SSL/TLS-VPNs, I would go for a release >= 9.3 because of TLS1.2 that was introduced there.

View solution in original post

Karsten Iwen · ‎03-31-2016

You are late with this upgrade ...

What's your running version?

johnlloyd_13 · ‎03-31-2016

hi karsten,

the first column is what the ASAs are currently running.

the second column is what i'm trying to upgrade to.

Karsten Iwen · ‎03-31-2016

Ok, didn't realize that you are running all these versions ... From my experience:

Easy and straight forward:

8.2x -> 8.2(5.59)
9.2x -> 9.2(4)8
9.1x -> 9.2(4)8

Be aware of the arp permit-nonconnected and nat-chnages (proxy-arp and route-lookup) changes:

8.3x -> 8.4(7.30)

An ASA that is capable of 8.6 is also capable of running 9.2, the realease that you approach for most of your upgrades:

8.6(1)2 -> 9.1(6.11)

But it's always good to read the release notes and compare that to your config!

If you are running SSL/TLS-VPNs, I would go for a release >= 9.3 because of TLS1.2 that was introduced there.

johnlloyd_13 · ‎03-31-2016

hi karsten,

on 8.3x -> 8.4(7.30), where are the said commands changed? is it on 8.4.6 or on 8.4.7?

Karsten Iwen · ‎03-31-2016

as shown in the linked command-reference, it's already in 8.4(6).

johnlloyd_13 · ‎03-31-2016

karsten,

thank you sir!

johnlloyd_13 · ‎03-31-2016

hi karsten,

just another quick one, for the 9.2.4 release, do you go for asa924-8-smp-k8.bin or asa924-5-smp-k8.bin?

Karsten Iwen · ‎03-31-2016

I always go for the latest interims releases, but there are different opinions on that ...

johnlloyd_13 · ‎03-31-2016

thanks! i already downloaded the latest interim 9.2.4(8).

johnlloyd_13 · ‎04-05-2016

hi karsten,

i'm currently raising a change window, for this upgrade path: 8.3.2 > 8.4.6 > 8.4.7

if there's a problem with it, can i roll back directly from 8.4.7 down to 8.3.2?

or do i need to follow the path: 8.4.7 > 8.4.6 > 8.3.2?

Karsten Iwen · ‎04-05-2016

I never had exactly this downgrade, but in similar situations it was just to load the old image with the old config (that you place as backup in flash before the upgrade).