06-23-2020 05:06 PM
Hello
I would like to upgrade the code on an ASA 5506-X with FirePOWER services and it's currently running 9.9(2)32
Cisco Adaptive Security Appliance Software Version 9.9(2)32 Firepower Extensible Operating System Version 2.3(1.121) Device Manager Version 7.13(1) Compiled on Mon 05-Nov-18 13:32 PST by builders System image file is "disk0:/asa992-32-lfbff-k8.SPA"
The Cisco gold star release is 9.8.4 Interim or 9.6.4 Interim - what does that mean in my case? Should I down-grade to 9.8.4 or should I take the latest 9.9.2 Interim?
I looked at the release notes but it's mainly bug lists - not much guidance on how to do these upgrades safely.
ASDM is still in use - I vaguely remember that this means the ASA's are not running the unified code (FTD)?
I am not ready to rebuild the whole setup - main mission is to update the pair of ASA's to the latest code to be up-to-date, and to keep using ASDM.
Any guidance for a relative ASA novice appreciated.
Solved! Go to Solution.
06-23-2020 07:36 PM - edited 06-23-2020 07:37 PM
An upgrade wizard never offers a downgrade. :)
It’s fine to downgrade as long as you don’t require one of the (very few) features offered as new in 9.9.
Just copy the new boot image into the ASA and point the ‘boot system’ command to it. Save and reload. In ASDM that’s under Configuration > Device Setup.
You would upgrade ROMMON first (cli only), then ASA image and finally Firepower service module. The ASDM you can do at any time.
06-23-2020 06:49 PM - edited 06-23-2020 06:52 PM
If you're using the Firepower service module then I'd recommend the latest 9.8(4) interim.
The Firepower version will be limited to 6.2.3.x on these boxes since 6.3+ memory requirement exceeds the platform capability.
If you are not using the Firepower service module, then I'd say go with the 9.12(3) latest interim. It's been around for a while and is gold starred for the other hardware that doesn't have the hardware limitations of the 5506-X.
9.14 is a bit new to jump on in production. Not enough field deployments to make a solid case for it's long term viability.
In general, ASA even-numbered releases are long term support. Odd numbers like 9.9 are only short term and recommended only when a new feature is only available there.
If you can get a couple of Firepower 1010 appliance instead those would be a better bet - either with ASA software or FTD software. The former image for labbing ASA features and the latter for better broad-spectrum protection.
06-23-2020 07:06 PM
Hi Marvin
thanks for your sage advice as always ;-)
We do indeed like the FirePOWER module and we are using it.
The part that confuses me is that I tried the upgrade wizard in ASDM and it didn't offer me 9.8 releases - it only offered 9.10+ and then told me that the FirePOWER module is not supported. Ok.
What are my options? Do I downgrade to 9.8.4 ? Is that ok, and how is that done (I suppose via ASDM not possible?).
And is there an order in which one should upgrade things?
regards
06-23-2020 07:36 PM - edited 06-23-2020 07:37 PM
An upgrade wizard never offers a downgrade. :)
It’s fine to downgrade as long as you don’t require one of the (very few) features offered as new in 9.9.
Just copy the new boot image into the ASA and point the ‘boot system’ command to it. Save and reload. In ASDM that’s under Configuration > Device Setup.
You would upgrade ROMMON first (cli only), then ASA image and finally Firepower service module. The ASDM you can do at any time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide