topic Re: Which ASA Software Version to Use? in Network Security

Which ASA Software Version to Use?

ds6123 — Tue, 12 Mar 2019 01:25:12 GMT

A few questions:

1. Is there a rhyme or reason on what is posted on CCO under the "Latest Releases" header? Right now, it has 9.0.2.ED, 8.4.5.ED and 8.2.5.ED listed (but not 9.1.1.ED). Instead, 9.1.1.ED is listed further below under "All Releases". Is this Cisco's way saying don't use 9.1.1.ED?

2. I've gone through the release notes of all of them, and frankly, they all seem to have show stopper bugs. Right now, we're trying to upgrade a pair of firewalls from 8.2 to modern software. Previously an attempt was made to go to 9.1.1.ED (released Dec 2012) and the customer had strange problems (certain apps would stop working) after a few hours so they reverted back to 8.2. The fact that 9.1.1.ED is buried under "All Releases" concerns me. There's a 9.1.1 Interim release (from March 2013) that I'm considering using. Of course, there are 85 bugs fixed in that Interim release and none of them really match the symptoms the customer experienced. Should I use this Interim release?

3. Maybe I should go down to 9.0.2.ED (released Feb 2013)? Maybe much older releases? BTW, this is just a simple ASA5520 with plenty of RAM.

Why are there so many bugs? I could spend an eternity going through all of them.

Re: Which ASA Software Version to Use?

Jouni Forss — Mon, 08 Apr 2013 20:21:30 GMT

Hi,

Most of the ASA I use are using a software between 8.4(1) and 8.4(5)

To my understanding the software 9.1(1) has had for example some NAT configurations that cause problems for people. That is also one reason why I havent updated some of our ASAs.

To be honest I havent run into or identified that many bugs in our environment. Also one thing that probably minimizes our risk to bump into a bug is that we use multilple ASA firewalls for different purposes (Firewalling/NAT and VPN separately)

Latest recomendation I have heard has been 8.4(5) but to be honest as soon as I heard that I was told elsewhere that people were running into major problems using this software. So I guess it comes down to what you configure/use on the ASA in question and for example if you are using Failover or not.

Im probably still going to wait some time for some newer releases before I upgrade our devices.

One reason the 9.1(1) might not be shown at the top is that the software 9.0(2) is newer than 9.1(1)

EDIT: Actually there seems to be a release 9.1(1)4 which is newer than 9.0(2). Under the 9.1.1 Interim. I guess it must have some bugfixes related to the 9.1(1) software. Doh I must be blind you already mentioned this

- Jouni