ASA Firewall Upgrade from 8.2,8.4, to 9.0

b.njjad · ‎05-05-2013

Dear All ,

we have five firewalls with the following details:

First Firewall

Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)

my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the ASA IOS itself

Second Firewall

Hardware: ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version

6.2(3)

my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the ASA IOS itself

Third Firewall

Hardware: ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)

my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the ASA IOS itself

Fourth Firewall

Hardware: ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)

my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the ASA IOS itself

fifth Firewall:

Hardware: ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version 6.2(3)

my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the ASA IOS itself

please help i am doing the upgrading remotely using the ASDM and i don't want to do any upgrade could result disconnectivity.

Best regards

Jouni Forss · ‎05-05-2013

Hi,

I would have to say that the software updates from 8.4(3) to 9.0(2) (for example) should not have any major changes regarding configuration format. So those probably wont cause problems. Unless there is possibly some bug that might affect your particular ASA setup.

However the 8.2 jump to 9.0 is something totally different. I am not sure if the ASA would automatically convert the configuration in this software jump (I have not tried it myself). It might but I have never personally trusted the ASA to convert the configurations for me. There are situations where the conversion isnt complete and will leave the NAT configuration really messy and not everything works.

Are your units 8.4(3) units configured from scratch or were they upgraded earier from 8.2 series software?

If you are in doubt, I would suggest opening a TAC case with Cisco to get accurate information.

I personally dont use the ASDM for ASA configurations and I never let the ASA convert the configurations by itself from 8.2 -> 8.3 (or newer) since I want to keep the NAT configurations clear and low in numbers and keep the naming policy to my liking. Therefore I handwrite the new configurations to the new format and avoid possible problems with the automatic conversion.

- Jouni

romueller · ‎01-08-2014

One question - I have a 5510 with 8.4(1) with RemoteVPN configurations (SSL VPN, Cert Auth) which was installed from the scratch with 1024MB memory do you think is it a problem to upgrade to 9.x -> especially focuse on the selfsigned certs and VPN configuration?

Cheers

patrick.preuss · ‎05-05-2013

Hi

In General the release documenta states the Version Form which the upgrade should be possible. Some versions habe major chnages in the behavior and configuration in it.

So please read the documents carefull.

In General to go over the lastest major.minor.patch is not the worst. In case you have failover configured it is the only way. To keep service up.

AS far as i know there is no EOS for the 8.2 have you the need for features.

Sent from Cisco Technical Support Android App

sokakkar · ‎05-06-2013

Hi Basel,

Honestly, I wouldn't suggest a direct upgrade from 8.2 to 9.0. This is a *major* upgrade. The recommended path to reach 9.0 would be from 8.2-->8.4-->9.0

Here are the release notes for 9.0:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp690047

Per above document:

If you are upgrading from a pre-8.3 release, see also the Cisco ASA 5500 Migration Guide to Version 8.3 and Later

for important information about migrating your configuration.

Once you are on 8.3/8.4 (I would suggest 8.4 as a lot of issues were fixed post 8.3 as that was a huge transition from 8.2) upgrade to 9.0 is fairly simple.

Major part is upgrade from 8.2 to 8.4 as configuration changes and few things can be broken as a result. I would highly recommend you to check these docs before attempting an upgrade and also do it with some maintenence window so as to correct things in case they broke:

Following doc talks about 8.3 but it is applicable to direct upgrade to 8.4 as well:

https://supportforums.cisco.com/docs/DOC-12690

Release notes for 8.4:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

-

Sourav

Rafael Mendes · ‎06-14-2013

Hi Guys,

I have a doubt about this.

The upgrade for 8.4 to 9.X needs a hardware upgrade too? Like a 8.2 to 8.4 version in case of ASA with 512MB RAM.

Jouni Forss · ‎06-14-2013

Hi,

This document should list the required RAM for all the different ASA models when using software 8.3 or any newer version

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-586414.html

- Jouni

James Leinweber · ‎01-13-2014

My recommendation with 8.2 -> 9.0 is to let a test firewall do an upgrade-in-place to see what the automatic configuration rewrite would look like, then junk the NAT and access list configuration and rewrite that part from scratch. The dual-stack "any" versus any4/any6 keyword change and new NAT paradigm will cause the naive translation to produce a lot of artifacts you won't want to live with long term.

-- Jim Leinweber