Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
896
Views
0
Helpful
7
Replies

ASA 5506x oldest software version to downgrade while keeping security

m4k3rz
Level 1
Level 1

‎05-30-2023 07:42 PM

Good afternoon,

I need to downgrade the ASA software version because our monitoring software has an incompatibility with the latest ASA 5506x software version 9.16; however, it works great with version 9.12. My dilemma, is that i don't know how to find out whether or not it would still be ok to use that version without compromising the security of the network.

I can see the latest available software is 9.16(x), so is fair to assume that one is the one with the latest bug and security fixes; however, what is the oldest software version I can downgrade to without compromising security? 

For example, if I go back say to version 9.8(x), yeah most likely there will be a lot of unpatched security holes, but could i go back to say 9.12(x) and still be ok from the security standpoint?

Thank you

0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎05-30-2023 11:38 PM

@m4k3rz downgrading to an older version such as 9.12 is a backwards step in regard to security, as the latest version of 9.12(4) your hardware supports is 3 years old.

Have you tried the latest version, 9.16.4 interim - https://software.cisco.com/download/home/286283326/type/280775065/release/9.16.4%20Interim

Tbh there is no good version of ASA software to use on the ASA 5506-X hardware, the firewall is EOL and has been replaced with the FPR-1010 series which supports the latest versions of ASA software or FTD.

0 Helpful

m4k3rz
Level 1
Level 1
In response to Rob Ingram

‎05-31-2023 07:59 AM

Good morning,

I did try the 9.16 interim, but as i mentioned on the initial post, is not working with the monitoring system we use. I've done extensive troubleshooting and can't pin point where the issue lays. That's why I pondered about downgrading to 9.12(x) which is a version that other ASA on our network is using and working fine with the monitoring.

This is the exact ASA 5506x model I am using. Is running Cisco ASA software and not FTD.
# sh inv
Name: "Chassis", DESCR: "ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC"
PID: ASA5506 , VID: V07 , SN: XYZ

Could someone please provide the EOL link for the ASA 5506 software? I'd like to see where is the last date for bugs and security fixes releases.
I've been looking but can only find EOL for hardware
https://www.cisco.com/c/en/us/support/security/asa-5506-x-firepower-services/model.html
https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744797.html

 

0 Helpful

Rob Ingram
VIP
VIP
In response to m4k3rz

‎05-31-2023 08:10 AM

@m4k3rz ASA version 9.12 is actually in software maintenance support until Feb 27 2024, but 9.12 hasn't had a software update for 3 years on the 5506-X, so has 3 years worth of security vulnerabilities unpatched. https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/adaptive-security-appliance-9-12x-eol.html

Using 9.12 is a step backwards in regard to security in my view, but I appreciate your position though. I'd still recommend replacing the hardware, you can still use ASA software, 9.19 is the latest version.

 

0 Helpful

m4k3rz
Level 1
Level 1
In response to Rob Ingram

‎05-31-2023 12:51 PM

Thank you, where did you find out that 9.12 is still in maintenance support until 2024?

also, if that's the case, why it hasn't been receiving updates for bug fixes and security updates for over 3 years?

Thanks Rob

0 Helpful

Rob Ingram
VIP
VIP
In response to m4k3rz

‎05-31-2023 02:11 PM

@m4k3rz its on the link I provided previously. https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/adaptive-security-appliance-9-12x-eol.html

RobIngram_0-1685562906005.png

I guess it is Cisco's way to force customers to purchase new hardware, as the 5506-X is very old now. Although they have updated 9.16 more recently. Perhaps log a TAC call with Cisco regarding your issue with 9.16?

0 Helpful

m4k3rz
Level 1
Level 1
In response to Rob Ingram

‎06-01-2023 08:34 AM

Thanks so much for your help. I'm trying to open a TAC ticket, but is not letting me because the serial number of the device is not linked to any support contract. is there any other way you know of?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to m4k3rz

‎06-01-2023 08:59 AM

What is not working with your monitoring system? There is one such issue I can think of - SNMP polling over site-site VPN. There's a work around for this documented in the release notes here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html#reference_xqs_mvp_xhb

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card