02-23-2021 10:30 AM
I have a number of FTD's within our infrastructure currently at version 6.6.1....
I've upgraded our FMC to 6.7 without any issues. After upgrading to version 6.6.1 we were warned that when upgrading to v6.7 a number of hash, encryption algorithms and DH groups were being removed and to reconfigure your VPN's.... Which I have done...
When trying to upgrade via the FMC, when I select the package to install in come back with the following error:
Deprecated Ciphers are used. Please reconfigure your vpn. The complete list of removed ciphers can be found here
Which then links you to the following page:
https://firepower.paragon-internal.co.uk/help_files/index.html#!c_deprecated_removed_ciphers.html
I have checked all VPN's via the FMC and the running config and can't see any of the deprecated ciphers in use....
Many thanks in advance
Richard
02-23-2021 06:35 PM
I have seen it give issues specifically with DH (Diffie-Hellman) groups. Once I fixed those, the error went away. I thought mine gave the warning citing the specific VPN that was problematic.
02-24-2021 12:21 AM
Hi Marvin,
Yes I've resolved all of the DH groups that were using insecure algorithms.... I was notified of these after upgrading to version 6.6.1 every time I went to deploy a policy....
After resolving all of the DH groups (on about 8 VPN's in total) I no longer have any warning messages when I go to deploy a policy to any of our FTD's from the FMC...
I only get this new alert when I actually go to do the upgrade to 6.7 and only on one of our FTD's (which to be fair is where most of our S-2-S VPN's terminate).....
As mentioned above I can't see any of the deprecated Ciphers in the FMC or cli running config...
Regards
Rich
02-24-2021 04:05 AM
Odd. I have done a couple of upgrades to FTD 6.7 and not encountered this error.
The only other thing I can think to check before opening a TAC case is to look at the config using "show running-config all" to look for any hidden commands that may be triggering the error. Those don't (in my experience) include crypto algorithms but it doesn't hurt to check.
11-20-2022 07:15 AM
The issue is that when migrating from IKEv1 to IKEv2 Site to Site IPsec VPN, the old tunnel is still present in the FMC/FTD whereby the FMC is still detecting the legacy ciphers. Confirm your IKEv2 phase I and phase II is up. Delete the old IKEv1 tunnel (which consists of the deprecated ciphers that originally halted the FTD upgrade process due to the Device Readiness Check failure) from the FMC and Deploy to the FTDs. Re-run the Device Readiness check and the compatibility check will then pass. From there, you can push the installation of the FMC/FTD 6.x/7.x software to your FTDs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide