cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3190
Views
20
Helpful
12
Replies

ASA 5525X with IPS upgrade to 5525X with Firepower Services

tweishaar
Level 1
Level 1

Hello together,

I have 2x5525-X (in a Failover-Cluster config) and (first Version from 2015) with the old IPS Software Modul.

I want to upgrade the 5525x Hardware with 2x5525-FP-UPG Pack, so that i can use the new Firepower Services.

So anyone here, he knows a Upgrade Path or an Guide for this procedure?

 

thanks for any help!

Br

Tino

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

As per one of thread from @marvin Rhodes

 

The support doesn't cover any of the upgrade.

 

You would need to purchase the SSD for each appliance. Have your reseller also order the (no cost) Control license.

 Then you need to choose which features you want to license: IPS, URL Filtering and/or Malware (AMP) and the term (1, 3 or 5 years).

 

Finally you need to decide on local management (ASDM - limited features and per-device configuration required even in an HA pair) or remote (Firepower Management Center - requires a separate license and a VM but has the full feature set including the ability to share policies across multiple devices).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame

As per one of thread from @marvin Rhodes

 

The support doesn't cover any of the upgrade.

 

You would need to purchase the SSD for each appliance. Have your reseller also order the (no cost) Control license.

 Then you need to choose which features you want to license: IPS, URL Filtering and/or Malware (AMP) and the term (1, 3 or 5 years).

 

Finally you need to decide on local management (ASDM - limited features and per-device configuration required even in an HA pair) or remote (Firepower Management Center - requires a separate license and a VM but has the full feature set including the ability to share policies across multiple devices).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the explanation.

And for the installation of the SSD, i will go forward with the section "Install and Remove a Solid State Drive for a Services Module" from the Cisco ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X Hardware Installation Guide?

Thank you and best regards

Tino

The SSD is hot-swappable. The installation guide says to reboot after inserting but I have found that to not always be necessary.

 

You can always put it in the standby unit first, reload and then make standby active. The repeat on the newly standby unit.

Thank you and I'm a little calmer now, because unfortunately it's also a productive firewall cluster :)

You're welcome.

 

I've done 3 pairs of them this year so far and they all went fine. Follow the module installation instructions carefully and you will be fine. Be sure to have your ASAs at one of the currently recommended code releases before beginning. 9.8(3) interim 21 is the current best choice.

 

https://software.cisco.com/download/home/284143129/type/280775065/release/9.8.3%20Interim

 

For the module software, overall 6.2.3.x is slightly recommended over 6.3.0 only because the latter hasn't had any patches released yet. That may change in the coming weeks.

 

You can always open a TAC case proactively if you have any doubt. (assuming your have Smartnet support)

 


Ah ok, that sounds good :)
I am actual on 9.6(4)12 and i will take that into account and check the compatibility matrix of ASA, ASDM and FirePower.
Thanks for the advice!

Hello Marvin Rhoads,
is 9.8(3) interim 21still the current best choice?
Or can I calmly take the version newest version 983-29-?

Br
Tino

Cisco updates the recommended versions regularly. Currently for most ASAs it's 9.8(4)10.

Reference the "Gold Star" here:

https://software.cisco.com/download/home/284143129/type/280775065/release/9.8.4%20Interim

Hi Marvin,

 

thanks for your fast response!

 

For the version 9.8(4)x, however, on the download page a lot of errors to read:

Breaks Anyconnect (no workaround) and Failover (workaround)
- Removes default NAT for Internet Access

 

Perhaps it is better to go from 9.6 to 9.8.3.21, on the download page from 9.8.3, there is nothing to read of known errors?

 

Thanks for advice and best regards

 

 

 

9.8(4.8) fixes the critical bugs as far as I know. Have you looked at the interim build release notes?

https://www.cisco.com/web/software/280775065/146525/ASA-984-Interim-Release-Notes.html

 

Hi Marvin,

ok good to know!

Currently I have not made it yet to look into the notes.

 

Thanks for your advice.

Best regards

 

Review Cisco Networking for a $25 gift card