cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
599
Views
6
Helpful
11
Replies

FMC-ASA-SFR compatibility

rushispace
Level 1
Level 1

Hello Cisco Community,

I have an ASA 5545-X running with the following versions:

  • ASA Software: 9.14(4)24
  • Firepower Module (SFR): 6.6.7
  • Firepower Management Center (FMC): 7.0.6

I'm planning to upgrade my FMC to version 7.3, but I'm unsure about the compatibility between FMC 7.3 and my current SFR/ASA versions. Could someone please guide me on the following:

  1. Compatibility Matrix for FMC and SFR: What version of the SFR module will be compatible with FMC 7.3?
  2. SFR to ASA Compatibility: If I upgrade the SFR, which ASA versions would still be compatible?

Any advice or a link to the compatibility matrix for FMC, SFR, and ASA versions would be greatly appreciated. I want to ensure a smooth upgrade process without running into version mismatches.

5 Accepted Solutions

Accepted Solutions

@rushispace unfortunately the ASA 5545-X does not support version 6.7, version 6.6.7.2 is the latest version that hardware supports.

https://software.cisco.com/download/home/286271173/type/286277393/release/6.6.7.2

You cannot manage the 5545-X running 6.6 from FMC 7.3

 

View solution in original post

@rushispace the FMC won't be able to manage the SFR module on the 5545-X, so it will never be able to connect to the FMC if you upgrade to 7.3

View solution in original post

You don't have to disconnect the SFR module from the ASA to upgrade the FMC. You can still upgrade the FMC to version 7.3 however as @Rob Ingram mentioned you won't be able to manage the current SFR module from the FMC in that case. So the plan in that case would be to upgrade the FMC to version 7.3 and then working on the migration from the ASA to the FTD and finally adding the FTD to the FMC.

View solution in original post

@rushispace the SFR configuration would remain after the FMC is upgraded, the FMC will be unable to manage the SFR module.

If you still wish to use the SFR module, you should not contemplate upgrading the FMC, you should replace the hardware with supported hardware such as the 1100, 2100 or 3100 series hardware (depending on your requirements).

View solution in original post

@rushispace the SFR module should still work, you could manage the device using ASDM, just not via FMC.

View solution in original post

11 Replies 11

@rushispace unfortunately that won't work, as the oldest FTD (SFR module) version FMC 7.3 can manage is 6.7

RobIngram_0-1731579024530.png

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/compatibility/management-center-compatibility.html

Ideally you should replace the 5545-X with newer hardware that supports the latest FTD versions.

Hi rob thanks for you responce however we are in the process of migration toward FTD however the compatibility for FMT with FMC it should be 7.3 for PBR migration and as per your responce if i want to go on 7.3 i should want to upgrade sfr to the 6.7 right ?

@rushispace unfortunately the ASA 5545-X does not support version 6.7, version 6.6.7.2 is the latest version that hardware supports.

https://software.cisco.com/download/home/286271173/type/286277393/release/6.6.7.2

You cannot manage the 5545-X running 6.6 from FMC 7.3

 

so in that case i need to dissconnect the SFR with my asa to upgrade the FMC to the 7.3 right ?

@rushispace the FMC won't be able to manage the SFR module on the 5545-X, so it will never be able to connect to the FMC if you upgrade to 7.3

You don't have to disconnect the SFR module from the ASA to upgrade the FMC. You can still upgrade the FMC to version 7.3 however as @Rob Ingram mentioned you won't be able to manage the current SFR module from the FMC in that case. So the plan in that case would be to upgrade the FMC to version 7.3 and then working on the migration from the ASA to the FTD and finally adding the FTD to the FMC.

@Aref Alsouqi @Rob Ingram,  If i upgrade my FMC to 7.3 so only i am not able to manage the sfr right ? however the policy or other configuration related to sfr is remain in the ASA or device as it is ? or it will be deleted after the fmc upgradation?

@rushispace the SFR configuration would remain after the FMC is upgraded, the FMC will be unable to manage the SFR module.

If you still wish to use the SFR module, you should not contemplate upgrading the FMC, you should replace the hardware with supported hardware such as the 1100, 2100 or 3100 series hardware (depending on your requirements).

@Rob Ingramit means if we upgrade the FMC sfr will remain the same into asa device and it will work flowless as per configuration also (but we are not able to manage) right ?

@rushispace the SFR module should still work, you could manage the device using ASDM, just not via FMC.

@Rob Ingram, Thanks mate

Review Cisco Networking for a $25 gift card