Solved: Warning about Deprecated DH Groups in IKEv2 for Remote Access VPN

MauryJ · ‎09-17-2021

Hello,

We are using FMC and FTD 6.6.4 on an ASA 5516-X, and are preparing to upgrade to 6.7. (I'm not sure about making the jump to 7.0.)

When pushing deployments to our FTD, we get a warning regarding one of our Remote Access groups that we use for AnyConnect clients:

Remote Access VPN: <Group Name>

Warning: Deprecated DH Groups Used in IKEv2 Policy.

For the referenced RA group, we are using SSL only, and IPSec-IKEv2 is not enabled. (There is a default web vpn group setup, with a default group policy that does have IKEv2 enabled. But we aren't using it.) So I'm not sure where to look to clear up this issue.

Thanks for any advice

Marvin Rhoads · ‎09-19-2021

You should be able to disable it in the default group policy without any problem.

FYI 7.0 will remove the support altogether.

Between 7.0 and 6.7 (6.7.0.2) I would choose 7.0 since 6.7 is already post end of sales and 7.0 is designated an extra long term release.

Possibly wait a few weeks - I hear 7.0.1 is due out around the end of September.

View solution in original post

Marvin Rhoads · ‎09-19-2021

You should be able to disable it in the default group policy without any problem.

FYI 7.0 will remove the support altogether.

Between 7.0 and 6.7 (6.7.0.2) I would choose 7.0 since 6.7 is already post end of sales and 7.0 is designated an extra long term release.

Possibly wait a few weeks - I hear 7.0.1 is due out around the end of September.