Solved: Re: downgrade ASA 8.4(6) to 8.2(1)

saimunpial · ‎02-23-2014

Hello support community,

yesterday I have upgrade one firewall on remote location. The upgrade was from 8.2(1) to 8.4(6) and unfortunately after upgrade the firewall isn't reachable. The firewall model is 5510 with 1 GB memory. There is no technical people right now. So only first working day I can get hands-on to check from management port and I know how to downgrade. But I am not sure whether it is possible from 8.4(6) to 8.2(1). So I am glad to get some information regarding this issue.

Pial

Marvin Rhoads · ‎02-23-2014

There's not an automatic downgrade path. Some syntax changes when upgrading to >=8.3 to the running-configuration is now different. So you need to have a copy of the old configuration that was used by 8.2(1) (there should be a copy on the flash that was created automatically during the upgrade) to startup after ensuring it has the variable "boot system disk0:asa-821.bin" in it and that the OS image is still on disk.

Something like this:

more | i boot

dir disk0:

copy startup

reload

You can also use the "downgrade" macro as described int the CLI configuration guide here.

View solution in original post

Marvin Rhoads · ‎02-23-2014

There's not an automatic downgrade path. Some syntax changes when upgrading to >=8.3 to the running-configuration is now different. So you need to have a copy of the old configuration that was used by 8.2(1) (there should be a copy on the flash that was created automatically during the upgrade) to startup after ensuring it has the variable "boot system disk0:asa-821.bin" in it and that the OS image is still on disk.

Something like this:

more | i boot

dir disk0:

copy startup

reload

You can also use the "downgrade" macro as described int the CLI configuration guide here.

saimunpial · ‎02-24-2014

Thanks Marvin for your support. I have read that link too for downgrade. But would you please tell me whether there is a known issue to upgrade from 8.2(1) to 8.4(6). Because I know it is possible to upgrade from 8.2.(1) to 8.3.x. Because I have to upgrade the firewall image. Otherwise the CSC module upgrade 6.6.1125 isn't functioning properly without ASA image upgrade.

Marvin Rhoads · ‎02-24-2014

You're welcome.

The ASA upgrade process as documented pretty much works fine. One thing you need to note is that if you have an older ASA you may need to upgrade the system memory first. The requirements are documented in the release notes for 8.3 here.

Of course, make sure to have a complete backup of your system configuration, including passwords and pre-shared keys (PSKs). Note if you copy a backup using "term pager 0" and "more system:running-config", it will type out the PSKs (but not user and enable password) in plain text.

The one thing that catches most people is the major change of how NAT is done in 8.3 and later. There is an excellent detailed overview of NAT operations that Jouni Forss has written over in the documents section of this forum here.

If you follow the documented upgrade process and take care to understand your NAT before and after the upgrade, it should go fine.

Mady · ‎08-30-2016

Hi,

I would like to know on how we can downgrade in active/standby failover pair with multiple context.

Thank you very much.

Regards,

Mady

Marvin Rhoads · ‎08-31-2016

It's the same as single context except that you have to restore the cfg file for each context separately.