Updating Multiple 5516/5508 ASA from version 9.1 to 9.16

bfrytm · ‎07-17-2023

I am new and not familiar with Cisco ASA products and we currently have 4 of the above ASA's that are running version 9.10 site to site.

How best to upgrade these and not break the site to site connection since we have to make changes to the Low Security Ciphers and Removal of bypass certificate validity checks option? Any other considerations or concern to worry about?

Rob Ingram · ‎07-17-2023

@bfrytm In regard to the Site-to-Site VPNs review the current configurations and determine what encryption, hashing/integrity and DH groups are in use and determine whether they have been depreciated, check the release notes below.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

No support for DH groups 2, 5, and 24 in 9.16(1)—Support has been removed for the DH groups 2, 5, and 24 in SSL DH group configuration. The ssl dh-group command has been updated to remove the command options group2, group5, and group24

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html for a list of other depreciated low-security ciphers.

Best check all the release notes of the versions between 9.10 and 9.16 and see what other features have been depreciated, I know that clientless VPN has now been depreciated. https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

MHM Cisco World · ‎07-17-2023

Removal of bypass certificate validity checks option?

Please can you more elaborate about this point.

bfrytm · ‎08-07-2023

Sorry for the delay in responding. On the upgrade to version 9.13 there is a section on removal of bypass certificate validity checks option.

Also, is there any impact of updating these 4 ASA's individually as they are in 3 different locations across the US? Will anything break or do we need to make sure they are all done at the same time?