cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2186
Views
25
Helpful
3
Replies

Advice with ASA 5506-X upgrade

Arne Bier
VIP
VIP

Hello

 

I would like to upgrade the code on an ASA 5506-X with FirePOWER services and it's currently running 9.9(2)32

Cisco Adaptive Security Appliance Software Version 9.9(2)32
Firepower Extensible Operating System Version 2.3(1.121)
Device Manager Version 7.13(1)

Compiled on Mon 05-Nov-18 13:32 PST by builders
System image file is "disk0:/asa992-32-lfbff-k8.SPA"

The Cisco gold star release is 9.8.4 Interim or 9.6.4 Interim - what does that mean in my case? Should I down-grade to 9.8.4 or should I take the latest 9.9.2 Interim?

I looked at the release notes but it's mainly bug lists - not much guidance on how to do these upgrades safely.

ASDM is still in use - I vaguely remember that this means the ASA's are not running the unified code (FTD)?

 

I am not ready to rebuild the whole setup - main mission is to update the pair of ASA's to the latest code to be up-to-date, and to keep using ASDM.

 

Any guidance for a relative ASA novice appreciated.

 

 

1 Accepted Solution

Accepted Solutions

An upgrade wizard never offers a downgrade. :)

It’s fine to downgrade as long as you don’t require one of the (very few) features offered as new in 9.9. 
Just copy the new boot image into the ASA and point the ‘boot system’ command to it. Save and reload. In ASDM that’s under Configuration > Device Setup. 
You would upgrade ROMMON first (cli only), then ASA image and finally Firepower service module. The ASDM you can do at any time. 

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

If you're using the Firepower service module then I'd recommend the latest 9.8(4) interim.

The Firepower version will be limited to 6.2.3.x on these boxes since 6.3+ memory requirement exceeds the platform capability.

If you are not using the Firepower service module, then I'd say go with the 9.12(3) latest interim. It's been around for a while and is gold starred for the other hardware that doesn't have the hardware limitations of the 5506-X.

9.14 is a bit new to jump on in production. Not enough field deployments to make a solid case for it's long term viability.

In general, ASA even-numbered releases are long term support. Odd numbers like 9.9 are only short term and recommended only when a new feature is only available there.

If you can get a couple of Firepower 1010 appliance instead those would be a better bet - either with ASA software or FTD software. The former image for labbing ASA features and the latter for better broad-spectrum protection.

Hi Marvin

 

thanks for your sage advice as always ;-)

We do indeed like the FirePOWER module and we are using it. 

The part that confuses me is that I tried the upgrade wizard in ASDM and it didn't offer me 9.8 releases - it only offered 9.10+ and then told me that the FirePOWER module is not supported.  Ok.

 

What are my options? Do I downgrade to 9.8.4 ? Is that ok, and how is that done (I suppose via ASDM not possible?).

And is there an order in which one should upgrade things?

  1. ROMMON (our unit is one patch behind)
  2. FirePOWER module (one patch behind)
  3. ASA (9.9(2) --> 9.8.4 ??)
  4. ASDM (update to whatever is latest ?)

regards

An upgrade wizard never offers a downgrade. :)

It’s fine to downgrade as long as you don’t require one of the (very few) features offered as new in 9.9. 
Just copy the new boot image into the ASA and point the ‘boot system’ command to it. Save and reload. In ASDM that’s under Configuration > Device Setup. 
You would upgrade ROMMON first (cli only), then ASA image and finally Firepower service module. The ASDM you can do at any time. 

Review Cisco Networking for a $25 gift card