topic Based on the documents. in Network Security

ASA | UPGRADE

John — Tue, 12 Mar 2019 09:14:42 GMT

Instead of waiting for a bug, is it better to upgrade the IOS version now to avoid the possible bugs?

Cisco Adaptive Security Appliance Software Version 9.1(6)11
Device Manager Version 7.1(7)

Generally its best to use the

Marvin Rhoads — Fri, 21 Apr 2017 11:24:52 GMT

Generally its best to use the Cisco-recommended release for your hardware. The very latest release may introduce not-yet-identified bugs as it has not had time to be widely deployed across different customer environments.

What appliance model are you using? If it's a legacy 5500 series then 9.1(7.x) is the highest you can go on those discontinued platforms.

our appliance is 5520 and

John — Sat, 22 Apr 2017 00:09:42 GMT

our appliance is 5520 and 5508.

so it is ok to upgrade even if our network is stable and we don't experience any bug right now?

It's not just bugs that are

Marvin Rhoads — Sat, 22 Apr 2017 06:21:48 GMT

It's not just bugs that are fixed by new releases. It's also security vulnerabilities and new features that are added

Your 5520 is end of sales and no new features are being added to it any more. The current recommended release is 9.1(7.16):

https://software.cisco.com/download/release.html?mdfid=279916878&softwareid=280775065&release=8.4.4.ED

The 5508 is newer and can run later and better versions of software. Currently no particular release is Cisco-recommended but I'd advise choosing from among the most recent ones in this listing:

https://software.cisco.com/download/release.html?mdfid=286285773&softwareid=280775065&release=9.7.1&relind=AVAILABLE&rellifecycle=&reltype=latest

With the newer ASAs there's currently one particular bug (CSCvd78303) that you need to be careful to avoid:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd78303

Based on the documents.

John — Sat, 22 Apr 2017 09:27:58 GMT

Based on the documents.

Conditions:
This is seen when the ASA's uptime reaches 213 days.

This problem affects ASA and FTD versions:
ASA version 9.1 releases 9.1(7)8 and higher
ASA version 9.2 releases 9.2(4)15 and higher
ASA version 9.4 releases 9.4(3)5 and higher including 9.4(4)
ASA version 9.5 releases 9.5(3) and higher
ASA version 9.6 releases 9.6(2)1 and higher including 9.6(3)
ASA version 9.7 releases 9.7(1) and higher

What if we don't want to upgrade our firewall. so that we're not able to hit the bug CSCvd78303?

is this version 9.1(6)11 is stable?

You can continue to run 9.1(6

Marvin Rhoads — Sat, 22 Apr 2017 11:21:22 GMT

You can continue to run 9.1(6.11) for many years as long as you don't need to use any of the newer features and security that are offered by the newer hardware and software.

Only you and your management can say whether that's an acceptable risk for your environment. Most security professionals would advise that is isn't; but it's your organization's decision in the end.

Hello Marvin,

John — Mon, 24 Apr 2017 05:29:28 GMT

Hello Marvin,

Thanks for the information. I would like to know what is the new feature for 9.1.7(16)?

All Cisco software version

Marvin Rhoads — Mon, 24 Apr 2017 05:48:49 GMT

All Cisco software versions have associated release notes. For the few things introduced between 9.1(6) and 9.1(7) maintenance releases, please refer here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-789421

Within the 9.1(7) maintenance release there have been multiple interim releases. The notes for them are generally linked on the downloads page:

https://software.cisco.com/download/release.html?mdfid=279916878&flowid=4374&softwareid=280775065&release=9.1.7%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

Specifically here are the release notes for 9.1(7.16) interim release:

http://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html

Interim releases are strictly for bug fixes and do not introduce new features

You can can similarly see on the parent pages of the minor release notes all of the later releases for 5500-X series models. As I noted, the end of sales 5500 series (including your 5520) is not supported beyond 9.1(x).