Solved: Re: ASA 5525X with IPS upgrade to 5525X with Firepower Services

tweishaar · ‎02-18-2019

Hello together,

I have 2x5525-X (in a Failover-Cluster config) and (first Version from 2015) with the old IPS Software Modul.

I want to upgrade the 5525x Hardware with 2x5525-FP-UPG Pack, so that i can use the new Firepower Services.

So anyone here, he knows a Upgrade Path or an Guide for this procedure?

thanks for any help!

Br

Tino

balaji.bandi · ‎02-18-2019

As per one of thread from @marvin Rhodes

The support doesn't cover any of the upgrade.

You would need to purchase the SSD for each appliance. Have your reseller also order the (no cost) Control license.

Then you need to choose which features you want to license: IPS, URL Filtering and/or Malware (AMP) and the term (1, 3 or 5 years).

Finally you need to decide on local management (ASDM - limited features and per-device configuration required even in an HA pair) or remote (Firepower Management Center - requires a separate license and a VM but has the full feature set including the ability to share policies across multiple devices).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎02-18-2019

As per one of thread from @marvin Rhodes

The support doesn't cover any of the upgrade.

You would need to purchase the SSD for each appliance. Have your reseller also order the (no cost) Control license.

Then you need to choose which features you want to license: IPS, URL Filtering and/or Malware (AMP) and the term (1, 3 or 5 years).

Finally you need to decide on local management (ASDM - limited features and per-device configuration required even in an HA pair) or remote (Firepower Management Center - requires a separate license and a VM but has the full feature set including the ability to share policies across multiple devices).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tweishaar · ‎02-19-2019

Thanks for the explanation.

And for the installation of the SSD, i will go forward with the section "Install and Remove a Solid State Drive for a Services Module" from the Cisco ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X Hardware Installation Guide?

Thank you and best regards

Tino

Marvin Rhoads · ‎02-19-2019

The SSD is hot-swappable. The installation guide says to reboot after inserting but I have found that to not always be necessary.

You can always put it in the standby unit first, reload and then make standby active. The repeat on the newly standby unit.

tweishaar · ‎02-19-2019

Thank you and I'm a little calmer now, because unfortunately it's also a productive firewall cluster :)

Marvin Rhoads · ‎02-19-2019

You're welcome.

I've done 3 pairs of them this year so far and they all went fine. Follow the module installation instructions carefully and you will be fine. Be sure to have your ASAs at one of the currently recommended code releases before beginning. 9.8(3) interim 21 is the current best choice.

https://software.cisco.com/download/home/284143129/type/280775065/release/9.8.3%20Interim

For the module software, overall 6.2.3.x is slightly recommended over 6.3.0 only because the latter hasn't had any patches released yet. That may change in the coming weeks.

You can always open a TAC case proactively if you have any doubt. (assuming your have Smartnet support)

tweishaar · ‎02-19-2019

Ah ok, that sounds good :)
I am actual on 9.6(4)12 and i will take that into account and check the compatibility matrix of ASA, ASDM and FirePower.
Thanks for the advice!

initcisco · ‎08-30-2019

Hello Marvin Rhoads,
is 9.8(3) interim 21still the current best choice?
Or can I calmly take the version newest version 983-29-?

Br
Tino

Marvin Rhoads · ‎08-30-2019

Cisco updates the recommended versions regularly. Currently for most ASAs it's 9.8(4)10.

Reference the "Gold Star" here:

https://software.cisco.com/download/home/284143129/type/280775065/release/9.8.4%20Interim

initcisco · ‎09-13-2019

Hi Marvin,

thanks for your fast response!

For the version 9.8(4)x, however, on the download page a lot of errors to read:

- Breaks Anyconnect (no workaround) and Failover (workaround)
- Removes default NAT for Internet Access

Perhaps it is better to go from 9.6 to 9.8.3.21, on the download page from 9.8.3, there is nothing to read of known errors?

Thanks for advice and best regards

Marvin Rhoads · ‎09-13-2019

9.8(4.8) fixes the critical bugs as far as I know. Have you looked at the interim build release notes?

https://www.cisco.com/web/software/280775065/146525/ASA-984-Interim-Release-Notes.html

initcisco · ‎09-16-2019

Hi Marvin,

ok good to know!

Currently I have not made it yet to look into the notes.

Thanks for your advice.

Best regards

Marvin Rhoads · ‎02-18-2019

The basic configuration procedure is described here:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html