Asa 5516-x Firmware upgrade

sv7 · ‎01-03-2024

Hi All,

Going to upgrade cisco asa 5516-x firepower module to version 9.16(x) and asdm 7.16(1.150). If i execute show version it shows only asa software image (asa982-38-lfbff-k8.SPA) and same in boot system file (boot system disk0:/asa982-38-lfbff-k8.SPA). Whereas in disk 0 i can see (asasfr-5500x-boot-6.2.3-4.img).

Need to know upgrading only asa and asdm image to 9.16(x) and asdm 7.16(1.150) sufficient for this activity or need to upgrade firepower module also as i can see in disk 0.

Marius Gunnerud · ‎01-04-2024

If you plan on using the SFR module, then you should upgrade it. If you are not planning on using the SFR module then there is no need to upgrade it.

--
Please remember to select a correct answer and rate helpful posts

sv7 · ‎01-04-2024

Can i upgrade the SFR module post upgrading the Asa to target version ?.

Marius Gunnerud · ‎01-04-2024

Yes you can upgrade it later, infact in most cases you will need to upgrade the SFR after upgrading the ASA version, this is depending on if the ASA version the ASA is running supports the SFR version you are upgrading to.

--
Please remember to select a correct answer and rate helpful posts

Ruben Cocheno · ‎01-04-2024

@sv7

Yes, you can. But if you not using it, then shutdown the module. You can bring it up later if you want, they work independently.

Please refer "shut down the module" section in below document

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#pgfId-1486644

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

sv7 · ‎01-04-2024

Hi Ruben,

Thank you for your suggestion, However when i click on your link it shows 404 page not found.

Marius Gunnerud · ‎01-05-2024

If you want to shutdown the module you can use the following command:

sw-module module sfr shutdown

if you are sure you will not be using it in the future you can uninstall the module:

sw-module sfr uninstall

--
Please remember to select a correct answer and rate helpful posts

sv7 · ‎01-06-2024

Thank you for sharing the command. However we are using sfr module just for licenses i.e Malware,ips like such and manage via virtual FMC. However now i came arcoss new problem that my Secondary Asa not powering on and i have requested for RMA.

So to again reconfigure replaced ASA with new one what would i have to do as we are also using sfr module.

Marius Gunnerud · ‎01-08-2024

Since you are using the SFR module you should consider upgrading the SFR module after upgrading the the ASA.

Replacing an ASA in an HA setup is simple. You only need to add the failover configuration to the replaced device and everything else will be automatic. You will need to upload AnyConnect files, AnyConnect client profile .xml files, if you are using the device for anyconnect.

So if the device you are replacing is the secondary device the configuration would be the following, change the interface and IP as needed:

failover
failover lan unit secondary
failover lan interface FAILOVER ethernet0/0
failover replication http
failover link FAILOVER ethernet0/1
failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2

--
Please remember to select a correct answer and rate helpful posts

sv7 · ‎01-16-2024

Hi,

Im using SFR and its current version 6.2.3.6, what could be the impact if i dont upgrade. However we are using it just to manage licenses (Malware, ips) via integration with fmc.

Marius Gunnerud · ‎01-16-2024

Any reason you do not want to upgrade? 6.2.3.6 is an extremely old version.

The impact you could run into is your licenses and support contracts for the SFR module not being valid if you need to open a case with TAC. Other things that might impact you are bugs that are fixed in later releases, performance issues, and possible security risks by not patching.

--
Please remember to select a correct answer and rate helpful posts