Updating ASA - Deprecated Parameters Removal

MarcoLazzarotto · ‎03-21-2023

I am updating my ASA. The version I am going to install (9.15 for the moment) will remove deprecated parameters like Diffie Hellman 2 and 24, some encryption algorithms and MD5 as hash algorithm.

I worked in the past months to upgrade our VPN tunnels in order to comply with new firmware protocols, but I still have those protocols in the default IKE-IPsec policies.

Do I have to manually edit the default policies, or will the ASA do that when booting the new firmware?

Rob Ingram · ‎03-21-2023

Hi @MarcoLazzarotto Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:

The command will use the default cipher.
The command will be removed.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html

MarcoLazzarotto · ‎03-21-2023

Hi @Rob Ingram, I updated all the VPNs, but I still have a few IPSEC proposals that cannot be deleted because are created by the system.

How should I handle those?

Rob Ingram · ‎03-21-2023

@MarcoLazzarotto as it's system defined proposals they would likely be removed (as per release notes) and replaced once upgraded to 9.15.