Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
mx
New Member

Downgrading IOS on ASA?

Hi everyone. I need to downgrade the IOS from 8.0.4 to 7.2.4 on a 5510 due to VPN issues with a non cisco device. no problem, the downgrade went fine. Upon reboot, it read the config and said that a couple hundred lines were invalid (see below). Is there a proper procedure for doing this or some kind of conversion tool?

Thanks

Bob

*** Output from config line 4, "ASA Version 8.0(4) "

...

dynamic-access-policy-record DfltAccessPolicy

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 154, "dynamic-access-policy-re..."

..

vpn-addr-assign local reuse-delay 5

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 236, "vpn-addr-assign local re..."

threat-detection basic-threat

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 249, "threat-detection basic-t..."

threat-detection statistics port

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 250, "threat-detection statist..."

5 REPLIES
Cisco Employee

Re: Downgrading IOS on ASA?

hi,

these config. errors are ok.

the command format is a lot different in between these codes.

these are startup config. errors and in no wat affect the actual working of f/w.

there is no conversion tool which could convert asa's configuration in between the codes.

there is one to convert checkpoint's config. to asa's though.

hTh

Sushil

TAC

mx
New Member

Re: Downgrading IOS on ASA?

Hi Sushil. thanks for the reply. There are pages and pages of them, including tunnel group errors etc. You mean that it will still work?!?!

Cisco Employee

Re: Downgrading IOS on ASA?

Yes,I never saw someone loose vpn or internet by downgrade.If there are pages of these invalid commands,you must have lot of vpn commands in there.

Gold

Re: Downgrading IOS on ASA?

those errors involved features that are present in 8.x but not 7.2 and earlier. Unless you were using those features, I wouldn't worry about it. If you saved the new config to memory, the next time the firewall reboots you wont get these errors.

mx
New Member

Re: Downgrading IOS on ASA?

On reboot Im still getting the errors. Some of them look pretty critical to the tunnels:

tunnel-group Healthpac general-attributes

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 332, "tunnel-group Healthpac g..."

address-pool Healthpac

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 333, " address-pool Healthpac"

default-group-policy Healthpac

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 334, " default-group-policy He..."

tunnel-group Healthpac ipsec-attributes

^

ERROR: % Invalid input detected at '^' marker.

*** Output from config line 335, "tunnel-group Healthpac i..."

759
Views
0
Helpful
5
Replies
CreatePlease to create content