06-19-2023 03:21 AM
Hello All
I have the ASA 5525X with the image 9.8(4) and want to upgrade to 9.14.4 image.
is it possibale without interim image or should i follow specific OS path till I reach my target OS
my second quesion is the 9.14.4 a good image?
Thanks!
06-19-2023 03:27 AM
https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html
According to this doc. No need any interim.
06-19-2023 04:07 AM
Just be careful if you upgrading from 9.8 to 9.14. The VPN tunnel DH group 1,2,5,24 are deprecated on-ward 9.8 these DH group are not supported. Now if you have site-to-site VPN mind this and work with remote/third parties to upgrade the vpn DH values.
06-19-2023 04:24 AM
Thanks for your answer, but the new image will not effect the anyconnect configuration, correct?
06-19-2023 04:32 AM
No what version you on at the moment on ASA box?
06-19-2023 04:35 AM - edited 06-19-2023 04:55 AM
Anyconnect use ssl and some ssl cipher use dh group.
Check you anyconnect cipher is use dh group @Sheraz.Salim mention.
The 9.14.4 support group 14/15/16/19/20/21
Also please mention if it us ecdh.
06-21-2023 02:18 AM
AnyConnect configs shouldn't be affected by the ASA upgrade, however, I would recommend keeping the old image on the ASA flash for any potential quick rollback. To rollback you can just change the boot system variable to point to the old image instead of the new one. One thing I would try to upgrade alongside the code is the ASDM image.
06-21-2023 02:30 AM
Good one @Aref Alsouqi happens so many time after upgrading the ASA new code the old ASDM go flaky. For 9.8.(4) ASDM recommend version ASDM 7.12(1) and for 9.14(4) recommend version ASDM 7.17(1)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide