Has anyone tried to upgrade to ASA 8.3?

Unanswered Question
Aug 30th, 2010
User Badges:

I did - it's pretty horrible. They completely re-wrote my NAT table with something that vaguely resembled what I had before except for the fact that it didn't work.


And they completely wiped out the names on all my named objects - will TAC ever learn how to use ASDM? 


This is the worst upgrade I've ever gotten from Cisco.  I called TAC on it but they don't necessarily seem to care.


At least I still have my job.... this time.


Good luck everybody.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
topkick69 Mon, 08/30/2010 - 13:39
User Badges:

Yup I upgraded as well and then promptly rolled back to 8.2 what a complete cluster of a code upgrade AND we had to spend money on more memory for it. Those NAT commands are not in anyway easier....

dpeters_vaneck Mon, 08/30/2010 - 13:43
User Badges:

Hilarious.


Not only did I have to install more memory but for one of my firewalls I had to fly to another city to do it.  I didn't even want 8.3.  I just had to have it for SSL VPN Licensing on my cluster.


I don't even think that the NAT module is intended to be easier.  Maybe it's intended to be more secure and maybe it is for all I can tell.  I would plan to rewrite your NAT from scratch after this upgrade.  ANd nothing's going to work until you're done.


I did the upgrade on Saturday.  I'm still cleaning up the mess.

b.julin Mon, 08/30/2010 - 13:40
User Badges:
  • Bronze, 100 points or more

It's pretty rough.  I wouldn't recommend it unless you can work a spare free to do the upgrade and tests offline.  Trying to glue it together at 2am in the morning on a production system won't be enough time.


Also, still some glitches in IPSEC-RA even on 8.3(2) which TAC can't seem to replicate.  If you're doing IPSEC-RA then you definitely don't want to touch anything lower than 8.3.2.  8.3.2. kills sessions due to failing Phase 2 rekey, so if your users are staying in for more than an hour or you run high security, it will be unusable -- assuming you are affected.  As I said, TAC can't replicate it so YMMV.


Some really annoying cosmetic/admin bugs -- like modifying a group object using the CLI causes an access list recompile that tosses your rule order all over the place, especially the comments, but also functonally consequential changes.


However all that said it's been at least stable in production so far.  Then again we don't NAT on it.

ARMANDO ALVARADO Tue, 08/31/2010 - 06:50
User Badges:

I looked at it myself and was told by by a large corp not to install due to the all the changes they made and had to revert back to 8.2. Cisco needs to do a better job on this OS. But for now we are good with the other code.

kmkrause2 Tue, 08/31/2010 - 08:28
User Badges:

I had all the same issues as everyone else. Had to add memory as well. According to the release notes, the change in NAT was to make working with translated addresses easier; simply use the real IP address in ACLs and not the NAT. But for those of us who have been working with ACLs for years, this goes against rookie rule #1: always use the translated IP in ACLs. I would think they would have at least allowed either/or, but they did a complete 180 on this.


The upgrade is supposed to reconfigure ACLs automatically, but it didn't convert mine. Basically, I had to run through my list of ACLs in ASDM. Whenever I came across a translated address, I swapped it out with the real IP (I use objects, so I simply used the object name). I have a relatively straight-forward firewall with an inside, outside and DMZ interface. Rolling back to the previous version is fairly painless if you run into problems or have no test environment. Just be sure to make a backup before you start.


BTW, beware the ASDM upgrade requirements too, if you haven't upgraded that lately.

dpeters_vaneck Tue, 08/31/2010 - 08:40
User Badges:

ASDM 6.2.5 had this concept of a named object.


     name 1.2.3.0 test

     asdm location test 255.255.255.0 Inside.



Or something like this.  If you created an ASDM object and added it to a rule and gave it a name, this is how that got taken care of.


ASA 8.3 does the same thing this way


     object network test

      subnet 1.2.3.0 255.255.255.0

But for whatever reason the developers decided to forego the trivial procedure of reading the 6.2.5 objects and writing them as 6.3 objects.


Cisco's technical resources have long been allergic to ASDM.  I would view this shortcoming in that upgrade process as just a big up-yours to the customer who would prefer to use it.


Like me for instance - I'm now on day 3 of cleaning up the mess that the 6.3 upgrade made of my firewall.  Still have a job, though.  That's a good thing.

abrrymnvette Wed, 09/01/2010 - 09:11
User Badges:

Thanks guys, my heart just sank. Ugg, last upgrade I did to 8.2 was a fiasco in itself.

CWF Netman Mon, 09/13/2010 - 08:28
User Badges:

I even tried 8.3.2 as an original deployment on a fresh, brand new installed ASA 5520. Hardly any of my VPN and NAT configs would work at all, and I stuck solely to using ASDM and its wizards for making all my configs and did nothing VPN or NAT-related by command line.


I downgraded the box to 8.2.3, wiped all configs clean and again used the ASDM wizards to do all my configs from scratch.  It worked fine then.


  

Federico Coto F... Mon, 09/13/2010 - 08:37
User Badges:
  • Green, 3000 points or more

Just want to add a comment from a Cisco engineer (about the changes in 8.3)


''I understand there is a learning curve with this that people will need to go through for the 8.3 changes. But I believe in the long run the changes will work to our benefit.

The "real ip" will simplify your ACL in the long run since you don't need to change ACL and nat when you change your translations. You also don't need to remember the translated ip of the host when setting up ACLs.

The nat statements have been simplified and can be run more "on the fly". The syntax is the same for all cases (nat statements, no nat 0, statics, nat with acls etc). As long as you name your objects properly I believe nat has benefits compared to the old nat. I understand it can be a little harder to troublehsoot and get used to the new syntax and that is where the learning curve comes in.

Keep in mind that no nat control is enforced by default now, so you don't need to nat exempt everything.

The are also some nice feature like the global ACL and the Smart Call Home that I believe will be liked more and more in the future.

I hope that as soon as you get passed the getting familiar and learning part, 8.3 will be liked a lot.

8.2 will be supported for a long time, so that should not be a concern.''


The NAT has changed completely, the ACLs referece the real IP, everything is object-oriented, it seems at first glance that everything is more complicated (cannot argue with that), but...

Personally I think that is a matter of playing around with it and getting used to it (you'll most likely find that you like it better).

I agree 100% that there are a lot of changes which we are not used to, but in the long run... we'll get benefit from it (at least that's my opinion).


Federico.

Actions

This Discussion