ASA 5516-X Firepower Version Upgradation from 9.8(4)29 to 9.12.4.67

King_1988 · ‎04-29-2024

Hi,

Can anyone please provide me the procedure the version upgradation from 9.8(4)29 to 9.12.4.67? What are pre-requisites ?

Rob Ingram · ‎04-29-2024

@King_1988 you can upgrade directly from 9.8 to 9.12 (you do not need to upgrade to an interim version)

Guide to upgrade ASA:- https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#topic_r5l_tt5_bbb

Take a backup copy of your current firmware and the configuration before you upgrade.

Marius Gunnerud · ‎04-29-2024

Always refer to the release notes before upgrading. There you will find all prerequisites and which versions can upgrade directly to the new version or if you need to go through an intermediate version before reaching the final version.

The release notes will also include any hardware requirements as well as known bugs that might affect your upgrade.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/release/notes/asarn912.html#id_25640

--
Please remember to select a correct answer and rate helpful posts

King_1988 · ‎04-30-2024

Am i downloading correct image?

Rob Ingram · ‎04-30-2024

@King_1988 that appears to be the correct image for the 5516-X hardware yes.

Any reason why not upgrading to 9.16, it's more recent (with more bug fixes) and is an Extra Long Term Release, the latest 9.12.4 image is 4 years old!

Sheraz.Salim · ‎04-30-2024

Yes that the correct image. once you downloaded this image also download the ASA image too if it is require by you for GUI presenation.

please do not forget to rate.

Marius Gunnerud · ‎04-30-2024

That is the correct image.

--
Please remember to select a correct answer and rate helpful posts

King_1988 · ‎04-30-2024

How long does it take to upgrade the HA firewall?

Marvin Rhoads · ‎04-30-2024

You reload each unit separately and wait for it to be Standby Ready before switching it to active and then reloading the other member of the HA pair. Each ASA typically reloads with the upgrade in about 2 minutes. If you are using the Firepower service module, it takes an extra 2-3 minutes to fully come up.

So, all together, you can typically upgrade an ASA 5500-X HA pair in a zero downtime process in about 10-15 minutes.

King_1988 · ‎05-02-2024

There are some VPN configuration also. I believe because of version upgradation there will be no issue, right?

Marius Gunnerud · ‎05-01-2024

Upgrading does not take much time. However, I do tend to request a service window of a few hours so that I am prepared for a worst case scenario where I need to troubleshoot or get TAC involved.

When upgrading I typically I do the following when upgrading ASA:

failover to the secondary / standby device
upgrade the primary
failover to the primary ASA and verify that everything is OK
proceed with upgrading the standby device.

This way if something goes wrong with the primary after the upgrade I can always revert to the secondary while troubleshooting the primary. In addition, when the upgrade is complete, the primary is the active ASA and I do not need to failover from the secondary to satisfy my OCD of needing the primary as active.

--
Please remember to select a correct answer and rate helpful posts

HecOnPoint · ‎05-01-2024

Were you able to get your Asa Upgraded?

I have a 5516-X on version 9.12(4)18 and attempted to upgrade to latest 9.16.4 version and ran into issues after upgrade.

I was not able to get Anyconnect to work, CLI was pretty slow and choppy so decided to revert, lost connectivity to ASDM but that was on me make sure you upgrade ASDM image first. (Hindsight 20/20)

Can anyone confirm latest version 9.16.4 Works?

Got a Tac Case opened they recommended upgrade path 9.12.x -> 9.12.4.67 To get Past CVE's 20353, 20358, 20359 (Arcane Door).

But I do not see that image as an download option on Cisco Soft Center.

HecOnPoint · ‎05-02-2024

Wanted to provide an update on upgrading Cisco 5516-X.

When I attempted to upgrade from 9.12(4)18 to 9.16.4 Anyconnect stopped working due to incompatible Anyconnect versions had to revert.

Make sure to read release notes, have to update Rommom ver, Asdm ver, Anyconnect ver.

I decided to go with the 9.12.x -> 9.12.4.67 To get past CVE's 20353, 20358, 20359 (Arcane Door).

Which Rommom, Asdm, and Anyconnect is still compatible with 9.12.x -> 9.12.4.67.

Will get these upgraded sooner than later.

Software Is located in Software Center inside the Intermediate versions tab.

Good Luck!

Izzat Shukri · ‎05-22-2024

How do you find 9.12.4.67 version at your ASA? Is it stable? Do you facing any bugs?

Marvin Rhoads · ‎05-22-2024

That's a very stable version as it was just fixing a few bugs on top of a version that had been out for some time without any other significant issues. I had one customer upgrade to it on a heavily used ASA and they have had no issues in the past two weeks.