Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1916
Views
5
Helpful
4
Replies

Unable to upgrade FirePower 2110 to version 6.7

paragonbank
Level 1
Level 1

‎02-23-2021 10:30 AM

I have a number of FTD's within our infrastructure currently at version 6.6.1....

I've upgraded our FMC to 6.7 without any issues. After upgrading to version 6.6.1 we were warned that when upgrading to v6.7 a number of hash, encryption algorithms and DH groups were being removed and to reconfigure your VPN's.... Which I have done...

When trying to upgrade via the FMC, when I select the package to install in come back with the following error:

Deprecated Ciphers are used. Please reconfigure your vpn. The complete list of removed ciphers can be found here

 

Which then links you to the following page:

https://firepower.paragon-internal.co.uk/help_files/index.html#!c_deprecated_removed_ciphers.html

 

I have checked all VPN's via the FMC and the running config and can't see any of the deprecated ciphers in use....

Many thanks in advance

Richard

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-23-2021 06:35 PM

I have seen it give issues specifically with DH (Diffie-Hellman) groups. Once I fixed those, the error went away. I thought mine gave the warning citing the specific VPN that was problematic.

0 Helpful

paragonbank
Level 1
Level 1
In response to Marvin Rhoads

‎02-24-2021 12:21 AM

Hi Marvin,

Yes I've resolved all of the DH groups that were using insecure algorithms.... I was notified of these after upgrading to version 6.6.1 every time I  went to deploy a policy.... 

After resolving all of the DH groups (on about 8 VPN's in total) I no longer have any warning messages when I go to deploy a policy to any of our FTD's from the FMC...

I only get this new alert when I actually go to do the upgrade to 6.7 and only on one of our FTD's (which to be fair is where most of our S-2-S VPN's terminate).....

As mentioned above I can't see any of the deprecated Ciphers in the FMC or cli running config...

 

Regards

 

Rich

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to paragonbank

‎02-24-2021 04:05 AM

Odd. I have done a couple of upgrades to FTD 6.7 and not encountered this error.

The only other thing I can think to check before opening a TAC case is to look at the config using "show running-config all" to look for any hidden commands that may be triggering the error. Those don't (in my experience) include crypto algorithms but it doesn't hurt to check.

0 Helpful

Christopher Lemish
Level 1
Level 1
In response to Marvin Rhoads

‎11-20-2022 07:15 AM

The issue is that when migrating from IKEv1 to IKEv2 Site to Site IPsec VPN, the old tunnel is still present in the FMC/FTD whereby the FMC is still detecting the legacy ciphers.  Confirm your IKEv2 phase I and phase II is up.  Delete the old IKEv1 tunnel (which consists of the deprecated ciphers that originally halted the FTD upgrade process due to the Device Readiness Check failure) from the FMC and Deploy to the FTDs.  Re-run the Device Readiness check and the compatibility check will then pass.  From there, you can push the installation of the FMC/FTD 6.x/7.x software to your FTDs.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card