ASA upgrade path

IbrahimElbagouri57340 · ‎06-19-2023

Hello All
I have the ASA 5525X with the image 9.8(4) and want to upgrade to 9.14.4 image.
is it possibale without interim image or should i follow specific OS path till I reach my target OS
my second quesion is the 9.14.4 a good image?

Thanks!

MHM Cisco World · ‎06-19-2023

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html

According to this doc. No need any interim.

Sheraz.Salim · ‎06-19-2023

Just be careful if you upgrading from 9.8 to 9.14. The VPN tunnel DH group 1,2,5,24 are deprecated on-ward 9.8 these DH group are not supported. Now if you have site-to-site VPN mind this and work with remote/third parties to upgrade the vpn DH values.

9.14.4 Interim is the last upgrade-able image for this appliances. cisco wont release anymore image for 5525-X as this appliance is EOL.

please do not forget to rate.

IbrahimElbagouri57340 · ‎06-19-2023

Thanks for your answer, but the new image will not effect the anyconnect configuration, correct?

Sheraz.Salim · ‎06-19-2023

No what version you on at the moment on ASA box?

please do not forget to rate.

MHM Cisco World · ‎06-19-2023

Anyconnect use ssl and some ssl cipher use dh group.

Check you anyconnect cipher is use dh group @Sheraz.Salim mention.

The 9.14.4 support group 14/15/16/19/20/21

Also please mention if it us ecdh.

Aref Alsouqi · ‎06-21-2023

AnyConnect configs shouldn't be affected by the ASA upgrade, however, I would recommend keeping the old image on the ASA flash for any potential quick rollback. To rollback you can just change the boot system variable to point to the old image instead of the new one. One thing I would try to upgrade alongside the code is the ASDM image.

Sheraz.Salim · ‎06-21-2023

Good one @Aref Alsouqi happens so many time after upgrading the ASA new code the old ASDM go flaky. For 9.8.(4) ASDM recommend version ASDM 7.12(1) and for 9.14(4) recommend version ASDM 7.17(1)

please do not forget to rate.