cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


848
Views
20
Helpful
12
Replies
Beginner

ASA 5525X with IPS upgrade to 5525X with Firepower Services

Hello together,

I have 2x5525-X (in a Failover-Cluster config) and (first Version from 2015) with the old IPS Software Modul.

I want to upgrade the 5525x Hardware with 2x5525-FP-UPG Pack, so that i can use the new Firepower Services.

So anyone here, he knows a Upgrade Path or an Guide for this procedure?

 

thanks for any help!

Br

Tino

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

As per one of thread from @marvin Rhodes

 

The support doesn't cover any of the upgrade.

 

You would need to purchase the SSD for each appliance. Have your reseller also order the (no cost) Control license.

 Then you need to choose which features you want to license: IPS, URL Filtering and/or Malware (AMP) and the term (1, 3 or 5 years).

 

Finally you need to decide on local management (ASDM - limited features and per-device configuration required even in an HA pair) or remote (Firepower Management Center - requires a separate license and a VM but has the full feature set including the ability to share policies across multiple devices).

BB
*** Rate All Helpful Responses ***
12 REPLIES 12
VIP Advisor

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

As per one of thread from @marvin Rhodes

 

The support doesn't cover any of the upgrade.

 

You would need to purchase the SSD for each appliance. Have your reseller also order the (no cost) Control license.

 Then you need to choose which features you want to license: IPS, URL Filtering and/or Malware (AMP) and the term (1, 3 or 5 years).

 

Finally you need to decide on local management (ASDM - limited features and per-device configuration required even in an HA pair) or remote (Firepower Management Center - requires a separate license and a VM but has the full feature set including the ability to share policies across multiple devices).

BB
*** Rate All Helpful Responses ***
Beginner

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

Thanks for the explanation.

And for the installation of the SSD, i will go forward with the section "Install and Remove a Solid State Drive for a Services Module" from the Cisco ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X Hardware Installation Guide?

Thank you and best regards

Tino
Hall of Fame Master

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

The SSD is hot-swappable. The installation guide says to reboot after inserting but I have found that to not always be necessary.

 

You can always put it in the standby unit first, reload and then make standby active. The repeat on the newly standby unit.

Beginner

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

Thank you and I'm a little calmer now, because unfortunately it's also a productive firewall cluster :)
Hall of Fame Master

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

You're welcome.

 

I've done 3 pairs of them this year so far and they all went fine. Follow the module installation instructions carefully and you will be fine. Be sure to have your ASAs at one of the currently recommended code releases before beginning. 9.8(3) interim 21 is the current best choice.

 

https://software.cisco.com/download/home/284143129/type/280775065/release/9.8.3%20Interim

 

For the module software, overall 6.2.3.x is slightly recommended over 6.3.0 only because the latter hasn't had any patches released yet. That may change in the coming weeks.

 

You can always open a TAC case proactively if you have any doubt. (assuming your have Smartnet support)

 

Beginner

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services


Ah ok, that sounds good :)
I am actual on 9.6(4)12 and i will take that into account and check the compatibility matrix of ASA, ASDM and FirePower.
Thanks for the advice!

Beginner

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

Hello Marvin Rhoads,
is 9.8(3) interim 21still the current best choice?
Or can I calmly take the version newest version 983-29-?

Br
Tino
Hall of Fame Master

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

Cisco updates the recommended versions regularly. Currently for most ASAs it's 9.8(4)10.

Reference the "Gold Star" here:

https://software.cisco.com/download/home/284143129/type/280775065/release/9.8.4%20Interim

Beginner

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

Hi Marvin,

 

thanks for your fast response!

 

For the version 9.8(4)x, however, on the download page a lot of errors to read:

Breaks Anyconnect (no workaround) and Failover (workaround)
- Removes default NAT for Internet Access

 

Perhaps it is better to go from 9.6 to 9.8.3.21, on the download page from 9.8.3, there is nothing to read of known errors?

 

Thanks for advice and best regards

 

 

 

Highlighted
Hall of Fame Master

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

9.8(4.8) fixes the critical bugs as far as I know. Have you looked at the interim build release notes?

https://www.cisco.com/web/software/280775065/146525/ASA-984-Interim-Release-Notes.html

 

Beginner

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

Hi Marvin,

ok good to know!

Currently I have not made it yet to look into the notes.

 

Thanks for your advice.

Best regards

 

Hall of Fame Master

Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services