Solved: upgrading ASA5506 from 9.8 to 9.16

sabetghadam.me@gmail.com · ‎04-30-2024

I'd like to know if you have experience with upgrading an ASA5506 from 9.8 to 9.16.

I have an s2s IPsec IKEv2 configuration with group 14 and 19. What impact will this have on IPsec?

Could you please share your experiences?

Thank you!

Marvin Rhoads · ‎04-30-2024

You should be OK. Only DH groups 2, 5 and 24 were deprecated (as of ASA 9.13). Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html#reference_yw3_ngz_vhb

View solution in original post

Marvin Rhoads · ‎04-30-2024

You should be OK. Only DH groups 2, 5 and 24 were deprecated (as of ASA 9.13). Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html#reference_yw3_ngz_vhb

balaji.bandi · ‎04-30-2024

before upgrading - make sure check other end can support same DH methods, some legacy system still need DH 5, this what i have encountered the issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sabetghadam.me@gmail.com · ‎05-02-2024

Thank you for your answer.

The other thing that worries me is that Cisco recommends generating higher-security keys as soon as possible using the crypto key generate {eddsa | ecdsa} command.