Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6747
Views
55
Helpful
5
Replies

ASA Crypto Map - PFS default changed in ASA 9.14 firmware

Go to solution
chris-goulder
Level 1
Level 1

‎02-26-2022 08:23 AM

I didn't come across any post mentioning this topic - so just posting this in case it helps someone else

 

In ASA crypto maps, the entry;       crypto map name_map x set pfs

Has previously defaulted to group2

(and if you entered crypto map name_map x set pfs group2  it would be truncated to the above in the config)

 

In ASA f/w 9.14 there are now lots of warnings about unsecure protocols that will be removed in future versions etc.

And if you check the config options for PFS, group14 is now the default instead of group2 as shown below

 

  ASA(config)# crypto map outside_map 11 set pfs ?

    configure mode commands/options:
    group14 D-H Group 14
    group2 D-H Group 2 (DEPRECATED)
    group5 D-H Group 5 (DEPRECATED)
   <cr>

 

If doing a migration from an earlier f/w version to 9.14 this will break any map entry that has in its config a default PFS statement

crypto map name_map x set pfs

As this will then default to group14 PFS, not group2 as intended, and phase 2 negotiations will fail

 

If you hit this scenario you will need to manually edit the config post f/w update to change the above to the following

crypto map name_map x set pfs group2

 

At least that was the experience when going from 9.8 train to 9.14

 

 

1 person had this problem
Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
chris-goulder
Level 1
Level 1
In response to Rob Ingram

‎02-26-2022 08:40 AM

They're not removed yet in 9.14, they're just deprecated

You get a warning, for example if configuring pfs group2 you get

 

WARNING: DH group 2 is considered insecure. This option is deprecated and will be removed in a later version.

 

But the config is still accepted and works as normal

 

It going to cause lots of 'fun' when/if Cisco decide to remove everything 'considered insecure'

In the real world where you are operating IPSec L2L tunnels with numerous 3rd party organisations, and that have been in place for some time, there is little appetite to change them / move off IKEv1 etc. That includes major internationals et al.

 

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to chris-goulder

‎02-26-2022 08:49 AM

@chris-goulder I was referring to newer versions as 9.14 isn't the latest. DH groups 2, 5 and 24 have been completed removed from 9.16

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

 

These older algorithms are considered insecure not just by cisco. If an organisation doesn't want to reconfigure their VPNs, then they cannot upgrade past ASA version 9.15.

 

HTH

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-26-2022 08:26 AM

@chris-goulder yes, cisco removed all the weaker algorithms, not just for PFS but also encryption and integrity in newer versions of ASA and FTD.

Go to solution
chris-goulder
Level 1
Level 1
In response to Rob Ingram

‎02-26-2022 08:40 AM

They're not removed yet in 9.14, they're just deprecated

You get a warning, for example if configuring pfs group2 you get

 

WARNING: DH group 2 is considered insecure. This option is deprecated and will be removed in a later version.

 

But the config is still accepted and works as normal

 

It going to cause lots of 'fun' when/if Cisco decide to remove everything 'considered insecure'

In the real world where you are operating IPSec L2L tunnels with numerous 3rd party organisations, and that have been in place for some time, there is little appetite to change them / move off IKEv1 etc. That includes major internationals et al.

 

Go to solution
Rob Ingram
VIP
VIP
In response to chris-goulder

‎02-26-2022 08:49 AM

@chris-goulder I was referring to newer versions as 9.14 isn't the latest. DH groups 2, 5 and 24 have been completed removed from 9.16

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

 

These older algorithms are considered insecure not just by cisco. If an organisation doesn't want to reconfigure their VPNs, then they cannot upgrade past ASA version 9.15.

 

HTH

Go to solution
chris-goulder
Level 1
Level 1
In response to Rob Ingram

‎02-26-2022 08:55 AM

That's an up vote for 9.14 then !

Appliance mode on FPR and 'legacy' config support

 

Go to solution
e.kooning
Level 1
Level 1

‎07-07-2022 07:53 AM

This is not just a warning about deprication. This is a real issue.

When we upgraded from 9.12.4.41 to 9.14.4.7 we had many tunnels starting to fail which had PFS set like:

 

crypto map Outside_map 57 set pfs  

The logs reported on the other end: receiving PFS group 5, expect 2.

 

When opening the tunnel group in ASDM and simply closing the window right away, ASDM would send command crypto map Outside_map 57 set pfs  GROUP 5 

 

We had to revert back to 9.12 and we currently do not have a path to 9.14 yet. We could of course change all tunnels to PFS Group 2 after the migration.

0 Helpful
Customers Also Viewed These Support Documents