cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3094
Views
10
Helpful
5
Replies

ASA 9.6.4.x vs other higher versions

Ve Con
Level 1
Level 1

I am about to upgrade my ASA to 9.6.4.14 to solve a vulnerability 

I am debating whether I should move to 9.7 or 9.8 or higher as well.

I am not sure what is the most stable out of all from those above versions that I should upgrade to.

Any suggestion? I don't expect any bug-free software, I just wish to know if someone already tried and know one version is more stable than the other that they can share from their experiment.  I don't believe latest greatest is always the best.

 

It looks like from this link (table under "Upgrade the Software" section)

, since I am in 9.6.4.3 and want to stay with 9.6 family, i should just upgrade to the latest version in 9.6 OR if I want to move up to a major release, cisco recommended to go to 9.8 instead of 9.7.  Can anyone confirm if my understanding is correct, on the right path?

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html#ID-2172-00000128

 

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Ajay Saini
Level 7
Level 7

As best practice, there a few considerations:

 

1. The major verison needs to be upgrade if you are running an outdated code, hitting a bug/caveat or looking for a new feature which is available in new major release. For the most stable and recommended versions, look for 'star' mark against these images in Software download section.

 

2. Withing a major release, its always advisable to go for latest maintenance release since that covers all the consolidated caveats for that release and the previous releases.

 

If you are running version 9.6, and not hitting any bug or looking for any new features, then you can chose to stay with 9.6.14 which happens to be the latest interim release withing that major release.

 

And you are right in saying that latest is not always the best, but a stable version does the job for you.

 

HTH
AJ

View solution in original post

5 Replies 5

Ajay Saini
Level 7
Level 7

As best practice, there a few considerations:

 

1. The major verison needs to be upgrade if you are running an outdated code, hitting a bug/caveat or looking for a new feature which is available in new major release. For the most stable and recommended versions, look for 'star' mark against these images in Software download section.

 

2. Withing a major release, its always advisable to go for latest maintenance release since that covers all the consolidated caveats for that release and the previous releases.

 

If you are running version 9.6, and not hitting any bug or looking for any new features, then you can chose to stay with 9.6.14 which happens to be the latest interim release withing that major release.

 

And you are right in saying that latest is not always the best, but a stable version does the job for you.

 

HTH
AJ

Hi Ajay,

Thanks so much for your response.

1) I wonder why the Cisco TAC cannot suggest me the most stable version. They literally told me they don't have any suggestion for the stable version. Just gave me the link to the Software Download page. Thanks so much again for pointing the "star" out. And yes, when I point the mouse over to the "star", it says this:

"Cisco suggested release based on software quality, stability, and longevity. Try Software Research"



BTW, do you know if this is how ASDM should work with "check for updates..."?

No interim version is listed in the drop down menu for the ASA version.  Just listed 9.8.2, 9.98.1, 9.8.3, 9.9.1, 9.9.2, 9.7.1

I was looking for 9.6.4.14 but don't see it.  I am at 9.6.4.3

1) I wonder why the Cisco TAC cannot suggest me the most stable version. They literally told me they don't have any suggestion for the stable version. Just gave me the link to the Software Download page. Thanks so much again for pointing the "star" out. And yes, when I point the mouse over to the "star", it says this:

"Cisco suggested release based on software quality, stability, and longevity. Try Software Research"

This is expected, I have worked for TAC for more than 7 years and thats what a TAC engineer would do. Since there is no 100% bug free image, there are recommended images which they would suggest and not any specific image.

 

 

BTW, do you know if this is how ASDM should work with "check for updates..."?

ASDM images can be used highest version since they usually go hand in hand with Java version. Just check the release notes for ASDM version you wish to install and see if you software version on ASA is listed as supported.

 

No interim version is listed in the drop down menu for the ASA version.  Just listed 9.8.2, 9.98.1, 9.8.3, 9.9.1, 9.9.2, 9.7.1

I was looking for 9.6.4.14 but don't see it.  I am at 9.6.4.3

 

This should be under Interim images, I am attaching a screenshot from my software download page. You should see 9.6.3.14 out there.

 

-

HTH
AJ

Hi Ajay,

 

Thanks for the confirmation.  Greatly appreciated!

 

I think I might have not stated my question clear enough that confused you, i am sorry about that.

I meant when I check for update using ASDM, it didn't list the interim versions (i am expecting to see the version 9.6.4.14) from the droop down list.   I just want to know if that how ASDM works (not list interim version)?  Attachment is my screenshot of ASDM for "check for updates .."

 

 

If you select 9.6.3, and when you download, it will automatically download the latest interim. Atleats thats what the document says:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/admin_swconfig.html

 

"ASDM downloads the latest image version, which includes the build number. For example, if you are downloading 9.1(4), the download might be 9.1(4.2). This behavior is expected, so you may proceed with the planned upgrade."

 

HTH
AJ

Review Cisco Networking for a $25 gift card