Showing results for 
Search instead for 
Did you mean: 

ASA 5506x oldest software version to downgrade while keeping security

Level 1
Level 1

Good afternoon,

I need to downgrade the ASA software version because our monitoring software has an incompatibility with the latest ASA 5506x software version 9.16; however, it works great with version 9.12. My dilemma, is that i don't know how to find out whether or not it would still be ok to use that version without compromising the security of the network.

I can see the latest available software is 9.16(x), so is fair to assume that one is the one with the latest bug and security fixes; however, what is the oldest software version I can downgrade to without compromising security? 

For example, if I go back say to version 9.8(x), yeah most likely there will be a lot of unpatched security holes, but could i go back to say 9.12(x) and still be ok from the security standpoint?

Thank you

7 Replies 7

@m4k3rz downgrading to an older version such as 9.12 is a backwards step in regard to security, as the latest version of 9.12(4) your hardware supports is 3 years old.

Have you tried the latest version, 9.16.4 interim -

Tbh there is no good version of ASA software to use on the ASA 5506-X hardware, the firewall is EOL and has been replaced with the FPR-1010 series which supports the latest versions of ASA software or FTD.

Good morning,

I did try the 9.16 interim, but as i mentioned on the initial post, is not working with the monitoring system we use. I've done extensive troubleshooting and can't pin point where the issue lays. That's why I pondered about downgrading to 9.12(x) which is a version that other ASA on our network is using and working fine with the monitoring.

This is the exact ASA 5506x model I am using. Is running Cisco ASA software and not FTD.
# sh inv
Name: "Chassis", DESCR: "ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC"
PID: ASA5506 , VID: V07 , SN: XYZ

Could someone please provide the EOL link for the ASA 5506 software? I'd like to see where is the last date for bugs and security fixes releases.
I've been looking but can only find EOL for hardware


@m4k3rz ASA version 9.12 is actually in software maintenance support until Feb 27 2024, but 9.12 hasn't had a software update for 3 years on the 5506-X, so has 3 years worth of security vulnerabilities unpatched.

Using 9.12 is a step backwards in regard to security in my view, but I appreciate your position though. I'd still recommend replacing the hardware, you can still use ASA software, 9.19 is the latest version.


Thank you, where did you find out that 9.12 is still in maintenance support until 2024?

also, if that's the case, why it hasn't been receiving updates for bug fixes and security updates for over 3 years?

Thanks Rob

@m4k3rz its on the link I provided previously.


I guess it is Cisco's way to force customers to purchase new hardware, as the 5506-X is very old now. Although they have updated 9.16 more recently. Perhaps log a TAC call with Cisco regarding your issue with 9.16?

Thanks so much for your help. I'm trying to open a TAC ticket, but is not letting me because the serial number of the device is not linked to any support contract. is there any other way you know of?

What is not working with your monitoring system? There is one such issue I can think of - SNMP polling over site-site VPN. There's a work around for this documented in the release notes here:


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card