Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
5
Helpful
3
Replies

ASA 5500-X NGFW Software on Chassis Version 9.x comparison

Go to solution
Marcus Hunold
Level 1
Level 1

‎06-05-2015 02:36 AM - edited ‎03-11-2019 11:03 PM

Hi community,

This thread is for all of us who always puzzles over which 9.x version I have to take for my ASA 5500-X NGFW. (In my case 5545-X)

The wish is to get the best minor version - best maintenance/updated, stable and suited version without to read the release notes of all minor Versions every time.

Over the time Cisco provided different minor releases and all of them have no EOL information so we can say they are all valid:

9.0 is dead
9.1
9.2
9.3
9.4

compatibility matrix - http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

  • no information under which circumstances I have to use which minor Version

Cisco Software Research - http://software.cisco.com/selection/research.html

  • no comparison between different minor Versions available

 

Let us summarize the main differences between these minor versions to have a quick overview which supports all of us to save time and to be sure to take the version which fits best.

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎06-05-2015 03:00 AM

Hi,

For the ASA 5500-X device , I would recommend using the ASA 9.2.3 as suggested in the Cisco CCO page as well.

The ASA 9.1.6.x is the train which is recommended for the ASA 5500 series as they cannot run the ASA 9.2 and above. For ex:- ASA 9.4 for PBR feature.

Other trains are also stable but the choice depends on the depends on the feature availability that is listed on the release notes.

Let me know if you have any queries.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marcus Hunold

‎06-05-2015 06:53 AM

tl;dr - Cisco will never please all the people all the time. :)

Cisco provides a lot of different versions for various reasons. Many customers' change management and configuration control regimes request Cisco continue to support a given release level in a desire (perhaps misguided but nevertheless deemed valid by those organizations) to not introduce instability to their systems.

Sometimes they have to go through an extensive regulatory or legally-mandated vetting process to make major upgrades. Thus is it attractive to them if Cisco can "keep alive" an older release with only necessary bug fixes being released - no new functionality added.

Other reasons include hardware support. As Vibhor mentioned, Cisco continues to updates the releases supporting the older 5500 (non-X) series without Symmetric Multiprocessor (SMP) CPUs. The general policy is that Cisco will continue to provide support for 5 years following end of sales.

The recommended version (as noted with the gold star on the download page) is a judgement by the Business Unit based on input from both the TAC and Development engineering with respect to the stability and maturity of that release.

The versions newer than the recommended release are there to introduce new features and sometimes new hardware support. The leading edge features are appealing to some customers because of the new functions they offer (as detailed in the release notes) but others may have a more risk averse stand based on their business requirements.

If you want to learn more, there was a good TAC Security podcast on this topic back in 2013. Here is a link to the show.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎06-05-2015 03:00 AM

Hi,

For the ASA 5500-X device , I would recommend using the ASA 9.2.3 as suggested in the Cisco CCO page as well.

The ASA 9.1.6.x is the train which is recommended for the ASA 5500 series as they cannot run the ASA 9.2 and above. For ex:- ASA 9.4 for PBR feature.

Other trains are also stable but the choice depends on the depends on the feature availability that is listed on the release notes.

Let me know if you have any queries.

Thanks and Regards,

Vibhor Amrodia

Go to solution
Marcus Hunold
Level 1
Level 1
In response to Vibhor Amrodia

‎06-05-2015 03:46 AM

Hi Vibhor, thank you for your answer.

Of course I have recgonized that there are recommended versions but there must be a need or an idea behind that cisco provides so much different minor versions...

Well when Version 9.2.x is the recommended version why does there exist a 9.3.x version and why do I need it...(and by the way what does the 9.2.x version to be recommended?).

For me as end customer there is definitely a tool needed which compares these different versions in a table. (As I remember as example I could always compare Router IOS (e.g. 12.x) among themselves to see what the different versions has common and what are the differences.)

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marcus Hunold

‎06-05-2015 06:53 AM

tl;dr - Cisco will never please all the people all the time. :)

Cisco provides a lot of different versions for various reasons. Many customers' change management and configuration control regimes request Cisco continue to support a given release level in a desire (perhaps misguided but nevertheless deemed valid by those organizations) to not introduce instability to their systems.

Sometimes they have to go through an extensive regulatory or legally-mandated vetting process to make major upgrades. Thus is it attractive to them if Cisco can "keep alive" an older release with only necessary bug fixes being released - no new functionality added.

Other reasons include hardware support. As Vibhor mentioned, Cisco continues to updates the releases supporting the older 5500 (non-X) series without Symmetric Multiprocessor (SMP) CPUs. The general policy is that Cisco will continue to provide support for 5 years following end of sales.

The recommended version (as noted with the gold star on the download page) is a judgement by the Business Unit based on input from both the TAC and Development engineering with respect to the stability and maturity of that release.

The versions newer than the recommended release are there to introduce new features and sometimes new hardware support. The leading edge features are appealing to some customers because of the new functions they offer (as detailed in the release notes) but others may have a more risk averse stand based on their business requirements.

If you want to learn more, there was a good TAC Security podcast on this topic back in 2013. Here is a link to the show.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card