cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7075
Views
15
Helpful
15
Replies

ASA OS Upgrade

zekebashi
Level 4
Level 4

Hello, 

 

I am perplexed by the way ASA OS releases codes are structured. We have purchased several Firepower 2110s which came pre-loaded with release code 9.8.3. I opened a TAC case to inquire about the recommended release code and the response I received was to upgrade to release code "9.4.4 Interim". See attached. It seems that the release codes are not in a sequential order(For example, Latest release 9.8.3 but the suggested releases are 9.8.2, 9.6.4, and 9.4.4). It seems that I will need to downgrade the code we have, which is 9.8.3 to release code 9.4.4. Cisco couldn't make this any more confusing!!! 

 

Does anyone have any clarification as how to understand the ASA release codes? 

 

Thanks in advance! 

 

Best, ~zK 

 

 

 

2 Accepted Solutions

Accepted Solutions

I am uploading an attachment where you will see the full path to get to the section where you can download the ASA image for the FP2K.

 

Thanks for pointing out your query about the software you don't find. So the ASA5506-X will use the  "asa982-38-lfbff-k8.SPA"

 

The rest of your devices (ASA5585 and ASA5525-X) will use the  asa982-38-smp-k8.bin image (multicores).

 

You can have an explanation on their differences on the following post: https://community.cisco.com/t5/firewalls/cisco-asa-image-versions/td-p/2908797

 

View solution in original post

No interim upgrades are required, you can go straight. Look at this document here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html#ID-2152-0000000a

 

Whenever you have questions on which middle versions you should go first, go to the release notes of the version you want to go to and then go to the 'upgrade path' section, it's useful :)

View solution in original post

15 Replies 15

Sergio Ceron Ramirez
Cisco Employee
Cisco Employee

Hello Zekebashi, 

 

If you go into cisco.com to download software for your platform, you will notice there are some Interim releases, mostly identified by a star. These are known to be the most stable releases for each version.

 

If you want a recommended software by Cisco, then you would like to choose an interim one, which you will find to be a long list of interim releases per version which contain bug fixes that address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available.

 

Let me know if you need additional information.

Thanks for the response. I get what you are saying but I am still not clear. The release version we have on the Firepower 2110/ASA is release 9.8.3 and the recommended Interim releases are:

   - 9.8.2, which is a release lower than 9.8.3 and has a star next to it

   - 9.6.4, which is a release lower than 9.8.3 and has a star next to it

   - 9.4.4, which is a release lower than 9.8.3 and has a star next to it

 

So, which release version is the one that we need to upgrade to? 

Why is the recommended release (Interim) code has a code number lower than the release code that we shipped by Cisco? Totally confusing!! 

 

Best, ~zK 

 

 

 

I see there is a misunderstanding with the information sent by your TAC engineer, as he only referred you to information concerned to ASA5500-X platforms, but for ASA running on a 2110 platform.

 

ASA on FPR2100 is compatible starting on 9.8.2 code. Your device will not necessarily come with an interim version, but you can upgrade it into anyone you choose.

 

As you will notice, every release can have its own interim versions, so it does not mean that you must downgrade to run a stable version. If Cisco has identified interim/stable versions within later releases, you can feel free to upgrade into one of them.

 

I recommend you to always check the release notes for the version you want to choose so you can learn what is resolved and what is still pending to be resolved in terms of bugs, or what new features does that release has.

Thanks! 

 

"As you will notice, every release can have its own interim versions".  I am not clear on this. Refer to the attachment. What would the interim release be for 9.8.3? The available "Suggested Interim Releases" are: 9.8.2, 9.6.4, 9.4.4. Are you saying that if we decided to upgrade code 9.8.3, we could choose any one of these "Suggested Interim Releases" even though they vary in their code numbers, meaning one is 9.8.2, another is 9.6.4, and the last one is 9.4.4 and none of them has the subsequent code number to 9.8.3, which I think should either be 9.8.4 or 9.9.x! 

 

We would like to standardize the ASA OSs on the following appliances:  

   - FP2110/ASA - Current release code 9.8.3

   - 5585 - Current release code 9.2(4)18

   - 5525 - Current release code 9.1(6)11

   - 5506 - Current release code 9.8.3

 

What would be the recommended release code to upgrade to for all of these appliances?

 

Thanks..  

I am not sure why 9.8.3 has not an interim release; every release can have it, but it's not a most. Remember I mentioned that FPR2100 supports ASA code starting in 9.8.2 version, and the suggested interim releases you mention, applies to ASA5500-X.

 

I cannot recommend you a specific code to use, as you have to carefully choose depending on your environment, features, etc., for which I suggest you to take a look at the release notes of the version you choose to standardize across your devices.

 

After you look on them, you can confirm which release is equally supported for your devices, and you can look on this information at the Cisco ASA Compatibility matrix

 

What I found looking at the Interim releases for each platform, is that the common and suggested release across your platforms is 9.8.2 Interim release. (asa982-38-lfbff-k8.SPA and cisco-asa-fp2k.9.8.2.38.SPA - for FP2100) You may want to go to this one, but please take a look at the release notes below first.

 

ASA 9.8.2 Release notes:

Fixed bugs

New Features

Thanks again!

 

I tried to look under the 9.8.2 Interim file names for the file names you suggested but couldn't find them. The closest one was: asa982-38-smp-k8.bin. Where did you find the file?

 

Also, I found these two sources pretty useful: https://software.cisco.com/research/home?pid=283123066&sid=280775065&cr=

 

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/bulletin-c25-738209.html

 

Thanks in advance. ~zK

 

I am uploading an attachment where you will see the full path to get to the section where you can download the ASA image for the FP2K.

 

Thanks for pointing out your query about the software you don't find. So the ASA5506-X will use the  "asa982-38-lfbff-k8.SPA"

 

The rest of your devices (ASA5585 and ASA5525-X) will use the  asa982-38-smp-k8.bin image (multicores).

 

You can have an explanation on their differences on the following post: https://community.cisco.com/t5/firewalls/cisco-asa-image-versions/td-p/2908797

 

Great!

 

One final question, when upgrading the 9.2(4) code to 9.8.2, do we have to use the interim codes (9.4(x), and 9.6(x) first or can we upgrade it from code 9.2(4) directly to code 9.8.2?

 

Thanks, ~zK

No interim upgrades are required, you can go straight. Look at this document here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html#ID-2152-0000000a

 

Whenever you have questions on which middle versions you should go first, go to the release notes of the version you want to go to and then go to the 'upgrade path' section, it's useful :)

Super!

 

Thank you very much, Sergio! Much appreciated.

Most than welcome!! 

Hello,

Was your upgrade from 9.2(4) to 9.8 successful? I am going 9.2(4) to latest 9.8(3)29, so have the same question as to if this is possible or I need to go to interim releases.

Hello, 

 

I have performed the upgrade yet. I have confirmed with Cisco TAC that the upgrade from the 9.2.x to 9.8.x build doesn't require an interim upgrade.

 

My question to TAC:

Upgrading from the current release (9.2(4)18) directly to release 9.8.(3)21 is fine. It doesn't require to upgrade to an intermediate releases, is this correct?

 

TAC response: That is correct, is not required to install any intermediate image to get to the desired version 9.8.3.21.

 

Best, ~zK

Hello Julian, you should be safe to jump directly to 9.8(3)29 :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: