Solved: ASA 5525-X software update stable version

h.dam · ‎03-22-2018

Hi everyone,

I'd like to update the software version of my active/standby firewall pair.

At present the FW SW version is 9.8(1), ASDM is 7.8(1)

I found the latest version on Cisco website is 9.9.1(for 5525-X), 7.9(1) for ASDM.

Here's my questions:

- Is v9.9.1 a better and more stable version than v9.8(1) ?

- same question for ASDM 7.9(1)

- can I update FW SW and ASDM at the same time, then reboot the Fw once after these 2 updates?

(I have to update ASDM because of the version compatibility)

Since I have 2 FWs in A/S mode, I will update the Standby unit first, then make a failover, then update the old Active unit. Is it the best way to do ?

Thanks.

Regards.

Marvin Rhoads · ‎03-22-2018

Please see the software download page for current recommended versions.

https://software.cisco.com/download/release.html?mdfid=284143129&flowid=31543&softwareid=280775065&release=9.4.4%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

As of right now, if you are running 9.8, the recommendation is to use the latest 9.8(2) interim - currently interim build 24 dated 5 March 2018.

ASDM can always be updated without a reload. 7.9(1) is what I currently recommend as a few people have been reporting problems with the recent 7.9(1-151) build.

Your method for upgrading A/S is correct. Cisco documents this pretty well here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111867-asa-failover-upgrade.html#zerotime

It's an older doc but the procedure remains the same.

View solution in original post

Marvin Rhoads · ‎03-22-2018

Please see the software download page for current recommended versions.

https://software.cisco.com/download/release.html?mdfid=284143129&flowid=31543&softwareid=280775065&release=9.4.4%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

As of right now, if you are running 9.8, the recommendation is to use the latest 9.8(2) interim - currently interim build 24 dated 5 March 2018.

ASDM can always be updated without a reload. 7.9(1) is what I currently recommend as a few people have been reporting problems with the recent 7.9(1-151) build.

Your method for upgrading A/S is correct. Cisco documents this pretty well here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111867-asa-failover-upgrade.html#zerotime

It's an older doc but the procedure remains the same.

h.dam · ‎03-24-2018

Hi Marvin,

Thank you very much for the information.
So I will upgrade ASA to the recommended 9.8(2).
But I am not sure which version for ASDM since Cisco said 7.9 is for 9.9 while you recommend 7.9(1).
About SFR module, I think the ASA software upgrade won't impact the IPS functions because it works independently.

Regards.

Marvin Rhoads · ‎03-24-2018

Note that the ASA compatibility matrix recommends ASDM 7.8(2)+ (I.e., or later versions) for ASA software 9.8(2).

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_59423

The FirePOWER module is pretty much independent and not affected by ASA or ASDM upgrades; but we should still follow the table further down in the compatibility matrix for that aspect as well. ASA 9.8(x) will be supported with FirePOWER 6.1.0 or later.