Guest

Preview Tool

Cisco Bug: CSCvu97214 - DOC: ASA software version downgrade may cause partial loss of configuration

Last Modified

Aug 21, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.10(1) 9.12(1) 9.14(1) 9.6(4) 9.8(4)

Description (partial)

Symptom:
When the ASA software version is downgraded, some parts of the configuration may be lost due to incompatible commands in the target version, i.e. the version to which the ASA is downgraded to. 

Consider the following examples in the running configuration of the ASA with the existing software version 9.8.x:

1. There is an access control entry (ACE) in an access control list (ACL):

access-list acl1 extended permit sctp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0.

2. There is a local user named test1:

username test1 password $sha512$1234$abcdefghijklmnopqrstuvwxyz  privilege 15

3. There is an SNMP user name snmpuser1 with engineID:

snmp-server user snmpuser1 snmpgroup1 v3 engineID abcdefghijklmnopqrstuvwxyz encrypted auth md5 12:ab:34:ef:56:ij:78:mn:90:qr:st:uv:wx:yz priv aes 128 12:ab:34:ef:56:ij:78:mn:90:qr:st:uv:wx:yz.

When the ASA software version is downgraded to, for example, version 9.0, after the downgrade during the configuration apply phase on the ASA console the following errors appear:

The version 9.8(4)20 configuration may contain syntax that is
not backward compatible with the 9.0(4) image that is loaded.


access-list acl1 extended permit sctp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0.
ERROR: % Invalid input detected at '^' marker. 
...
username test1 password $sha512$1234$abcdefghijklmnopqrstuvwxyz  pbkdf2 privilege 15
ERROR: % Invalid input detected at                                                            '^' marker.
...
snmp-server user snmpuser1 snmpgroup1 v3 engineID abcdefghijklmnopqrstuvwxyz encrypted auth md5 12:ab:34:ef:56:ij:78:mn:90:qr:st:uv:wx:yz priv aes 128 12:ab:34:ef:56:ij:78:mn:90:qr:st:uv:wx:yz.
ERROR: % Invalid input detected at '^' marker.

The error messages appear due to the fact the specific lines cannot be applied as these lines contain one or more keywords that are not supported on that specific version.

In the above example, support for the SCTP protocol in an ACE was added in version 9.5(2), support for the  "pbkdf2 " keyword was added in version 9.6(1) and support for the 'engineID' in SNMP user configuration was added in version 9.5(3).

The purpose of this documentation defect is to mention the potential impact of a downgrade in the ASA release notes.

Conditions:
All of the following conditions must match:

1. The ASA software is downgraded from version Z to X, where Z > X.
2. The ASA running configuration in version Z contains protocols, algorithms, keywords, etc. that are supported from version Y or later, where Z > Y > X.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.