cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1411
Views
15
Helpful
9
Replies

Problem updating ASA 9.2 to 9.8

Ariel0092
Level 1
Level 1

Hi everyone this is my first post in the forum, let me tell you my problem, we are installing sfr(version 6.2.2) modules in a HA enviorement in there we have configure some RA VPN Ikev1, Site-to-Site VPN and EZVPN. We have a problem updating the firmware from 9.2.2 to 9.8.2 after the upgrade, the RA VPN doesnt' come up, we see in the cli some messages like "WARNING:crypto map will be incomplete". We check in the ASA upgrade document and don't say anything to go through interim versions. After the upgrade we have to do a downgrade back to 9.2.2 and then all the VPN come up. It seems to me that the problem is something related to changes in the CLI commands. There is anyone that have a similar problem with these versions.

Below is attached the link that we use to check the upgrade path.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade.pdf

 

Thanks and sorry for the english :P !!

Best regards.

9 Replies 9

I have seen this problem several times when upgrading to new minor releases, and once when upgrading to a maintenance release within the same minor release.

The issue I had was that after upgrade everything related to AnyConnect profiles was removed from the configuration.  The actual .xml profiles were still in flash, so I needed to re-add almost all configuration that references these profiles.  This included the following:

  • Re-add the profiles to the AnyConnect Client Profiles page in ASDM (when creating them again, just reference the existing .xml file)
  • Re-reference them in the required group-policies
  • Re-configure all certificate to AnyConnect profile maps

Once I got this sorted AnyConnect started working again.

--
Please remember to select a correct answer and rate helpful posts

Hi Marius thanks for the feedback, so basically you have to reconfigure almost all the anyconnect vpn's? what happens if i reload the running config again? well anyway i am gone to do some labs with the actual configuration to see what happens or if i have to use other stable version. I will share what i found if i can resolve the issue :S .

 

Thanks and best regards.

No not the AnyConnect connection profiles.  There is a difference.  In my situation it was the AnyConnect Client Profiles that are pushed out to the users upon login (if you have them configured that is).  

--
Please remember to select a correct answer and rate helpful posts

Ohh ok i see now, well i will have that in mind with the other ASA that have configure anyconnect client profiles becouse thats its gona be another problem when we have to upgrade those firewalls.

 

Thanks.

Well after doing some test the only thing i can say is that im stuck, i replicate the behavior in the lab and  make a config from scratch but instead of configuring the vpn to be RA Ikev1 i did it in the ipsec-to-ipsec panel with the defaultL2Lgroup and that works, so my question is how can i migrate the VPN RA that i have in the defaultRAgroup to the defaultL2Lgroup and dont't break anything in the middle.

The short answer is, you cannot migrate the RA VPN to the defaultL2Lgroup.  You can however create a new group-policy and assign it to the AnyConnect VPN connection profile.  Also, keep in mind that although site to site vpn and RA vpn look similar configuration wise, they are actually quite different.  So what seems to work for site to site, might not necessarily work for RA VPN.

Could you post a full running configuration of your ASA (remove any public IPs, usernames and passwords)?

--
Please remember to select a correct answer and rate helpful posts

Hi Marius thanks for the reply i will evaluate the changes that i have to make becouse this in production maybe i will try with another version lower than the 9.8 to see if is any change on the function of the vpn.

About to share the running config i'am not so shure, i know that is the only way for you to see what it is the problem but for security reason i will be cautious. I appreciate your time and effort to help with this problem.

 

Thanks and best regards. 

Regardless of if you are running 9.2 or 9.8, you will not be able to use the defaultL2Lgroup for RA.  To me it seems that during the upgrade configuration is removed.  Have you tried taking a backup of all VPN configuration and then reapply after the upgrade?

--
Please remember to select a correct answer and rate helpful posts

Hi Marius i try that but unfortunelly didn´t work, well anyway i will keep trying with another versions or maybe creating a new policy group like you say.

 

Thank you very much for time and patience.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: