Solved: ASA 5516 upgrade to 9,16

AirSail · ‎08-21-2023

Hello ASA Gurus,

I have an ASA 5516 running 9.9 and I m planning to upgrade to 9.16 (the latest supported version)

This ASA is used as a main VPN concentrator,

S2S VPNs are kind of mix, Ikev1 with old encryption ciphers, and others with Ikev2 with strong/recommended cipher,

I walked through version guidelines, and some mentioned that some ciphers are deprecated, so the first thing that I m thinking about is if I shoot for an upgrade to 9.16, am I going to break the working VPNs that I have?

Thanks,

Marvin Rhoads · ‎08-21-2023

@AirSail most likely they will go down. This is explained explicitly in the link provided by @Marius Gunnerud :

"

Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:

The command will use the default cipher.
The command will be removed.

"

View solution in original post

Marius Gunnerud · ‎08-21-2023

This depends on how your S2S VPNs are configured, and which is why I said review your configuration. If you do have any configuration that references those that are removed in the list for 9.15 your S2S VPNs will most likely stop working.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎08-21-2023

I would suggest reviewing your vpn configuration and correct any deprecated / removed sytanx. check the 9.15 removed encryption ciphers in this link: https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#reference_rql_v5v_wpb

--
Please remember to select a correct answer and rate helpful posts

AirSail · ‎08-21-2023

So you think if I upgrade to 9.16 without updating my S2S parameters for sure the affected VPNs will go down?

Marvin Rhoads · ‎08-21-2023

@AirSail most likely they will go down. This is explained explicitly in the link provided by @Marius Gunnerud :

"

Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:

The command will use the default cipher.
The command will be removed.

"

Marius Gunnerud · ‎08-21-2023

This depends on how your S2S VPNs are configured, and which is why I said review your configuration. If you do have any configuration that references those that are removed in the list for 9.15 your S2S VPNs will most likely stop working.

--
Please remember to select a correct answer and rate helpful posts

AirSail · ‎09-04-2023

@Marvin Rhoads I started the checks, and it takes a bunch of time, is there any automated tool from Cisco where I can insert the running config so it can verify and flag what's been deleted/deprecated?

Marvin Rhoads · ‎09-05-2023

@AirSail, not as far as I know.

You could spin up an ASAv and load the current running-config from your live ASA into it. The console log will show you any errors the command parser encounters.

AirSail · ‎04-27-2024

Hello Marvin,

It's an old conversation but that topic prompted me, I m running now into another use case with the same thing,

I want to try now the ASAv(EVENG) method to insert my config and look at the logs,

should I perform a tftp configuration restore? a console prompt will show up with a sort of summary of what it s need to be updated ?

what is the best way, process to do it ?

Marvin Rhoads · ‎04-28-2024

Yes - copy whatever config you want to analyze into startup-config and then reload the ASAv while capturing console output.