topic Re: ASA 5506x oldest software version to downgrade while keeping secur in Network Security

ASA 5506x oldest software version to downgrade while keeping security

m4k3rz — Wed, 31 May 2023 02:42:55 GMT

Good afternoon,

I need to downgrade the ASA software version because our monitoring software has an incompatibility with the latest ASA 5506x software version 9.16; however, it works great with version 9.12. My dilemma, is that i don't know how to find out whether or not it would still be ok to use that version without compromising the security of the network.

I can see the latest available software is 9.16(x), so is fair to assume that one is the one with the latest bug and security fixes; however, what is the oldest software version I can downgrade to without compromising security?

For example, if I go back say to version 9.8(x), yeah most likely there will be a lot of unpatched security holes, but could i go back to say 9.12(x) and still be ok from the security standpoint?

Thank you

Re: ASA 5506x oldest software version to downgrade while keeping secur

Rob Ingram — Wed, 31 May 2023 06:38:14 GMT

@m4k3rz downgrading to an older version such as 9.12 is a backwards step in regard to security, as the latest version of 9.12(4) your hardware supports is 3 years old.

Have you tried the latest version, 9.16.4 interim - https://software.cisco.com/download/home/286283326/type/280775065/release/9.16.4%20Interim

Tbh there is no good version of ASA software to use on the ASA 5506-X hardware, the firewall is EOL and has been replaced with the FPR-1010 series which supports the latest versions of ASA software or FTD.

Re: ASA 5506x oldest software version to downgrade while keeping secur

m4k3rz — Wed, 31 May 2023 14:59:21 GMT

Good morning,

I did try the 9.16 interim, but as i mentioned on the initial post, is not working with the monitoring system we use. I've done extensive troubleshooting and can't pin point where the issue lays. That's why I pondered about downgrading to 9.12(x) which is a version that other ASA on our network is using and working fine with the monitoring.

This is the exact ASA 5506x model I am using. Is running Cisco ASA software and not FTD.
# sh inv
Name: "Chassis", DESCR: "ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC"
PID: ASA5506 , VID: V07 , SN: XYZ

Could someone please provide the EOL link for the ASA 5506 software? I'd like to see where is the last date for bugs and security fixes releases.
I've been looking but can only find EOL for hardware
https://www.cisco.com/c/en/us/support/security/asa-5506-x-firepower-services/model.html
https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744797.html

Re: ASA 5506x oldest software version to downgrade while keeping secur

Rob Ingram — Wed, 31 May 2023 15:10:11 GMT

@m4k3rz ASA version 9.12 is actually in software maintenance support until Feb 27 2024, but 9.12 hasn't had a software update for 3 years on the 5506-X, so has 3 years worth of security vulnerabilities unpatched. https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/adaptive-security-appliance-9-12x-eol.html

Using 9.12 is a step backwards in regard to security in my view, but I appreciate your position though. I'd still recommend replacing the hardware, you can still use ASA software, 9.19 is the latest version.

Re: ASA 5506x oldest software version to downgrade while keeping secur

m4k3rz — Wed, 31 May 2023 19:51:35 GMT

Thank you, where did you find out that 9.12 is still in maintenance support until 2024?

also, if that's the case, why it hasn't been receiving updates for bug fixes and security updates for over 3 years?

Thanks Rob

Re: ASA 5506x oldest software version to downgrade while keeping secur

Rob Ingram — Wed, 31 May 2023 21:11:26 GMT

@m4k3rz its on the link I provided previously. https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/adaptive-security-appliance-9-12x-eol.html

I guess it is Cisco's way to force customers to purchase new hardware, as the 5506-X is very old now. Although they have updated 9.16 more recently. Perhaps log a TAC call with Cisco regarding your issue with 9.16?

Re: ASA 5506x oldest software version to downgrade while keeping secur

m4k3rz — Thu, 01 Jun 2023 15:34:59 GMT

Thanks so much for your help. I'm trying to open a TAC ticket, but is not letting me because the serial number of the device is not linked to any support contract. is there any other way you know of?

Re: ASA 5506x oldest software version to downgrade while keeping secur

Marvin Rhoads — Thu, 01 Jun 2023 15:59:29 GMT

What is not working with your monitoring system? There is one such issue I can think of - SNMP polling over site-site VPN. There's a work around for this documented in the release notes here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html#reference_xqs_mvp_xhb