Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
5
Helpful
3
Replies

Going for ASA 9.6.4

Go to solution
johnlloyd_13
Level 9
Level 9

‎06-09-2018 08:27 PM - edited ‎02-21-2020 07:51 AM

hi,

i have a mix of ASA 5500x with 9.1.x, 9.2.x, 9.4.x, 9.5.x that i needed to upgrade.

looking at the software download, the TAC recommended codes are 9.4.4, 9.6.4, 9.8.2.

my questions are:

1) in a nutshell (not referring to release notes), what are the major difference between these 3 codes?
asa-download.JPG

2) base on the upgrade path, can i safely upgrade my mix of ASA 5500x FWs with code 9.1.x, 9.2.x, 9.4.x, 9.5.x directly to 9.6.4?

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/release/notes/asarn96.html#ID-2152-0000000a

 

3) i commonly see admins go for 9.6.4 and plan to do the same in order to enjoy the software extended support (36) months. can someone advise if this is fine?

or should i go to 9.8.2 in case we need to upgrade our 5500x HW to FP appliance?

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/bulletin-c25-738209.html

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-10-2018 05:32 AM

1. I'd go with the latest 9.8(2) - currently at interim 35. It's the most feature rich and will be around the longest going forward. If you have Firepower service modules, you need at least ASA 9.6(x) for compatibility with the latest (and recommended) Firepower release.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_34136

 

2. Yes - as long as your 9.1(x) are 9.1(2) or later.

 

3. I'm steering clients to 9.8(2) for the reasons I mentioned above.

 

 

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-10-2018 05:32 AM

1. I'd go with the latest 9.8(2) - currently at interim 35. It's the most feature rich and will be around the longest going forward. If you have Firepower service modules, you need at least ASA 9.6(x) for compatibility with the latest (and recommended) Firepower release.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_34136

 

2. Yes - as long as your 9.1(x) are 9.1(2) or later.

 

3. I'm steering clients to 9.8(2) for the reasons I mentioned above.

 

 

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎06-10-2018 04:26 PM - edited ‎06-10-2018 04:33 PM

hi marvin,

thanks for your feedback! i don't have FP modules on these 5500-X FWs.

i'll consider 9.8.2 since i could jump from 9.x to 9.8.2. i'm just waiting for TAC if they got the same advise.

did you encounter any issue upgrading to 9.8.2? any gotchas/caveat?

any major config syntax change that i should take note of?

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to johnlloyd_13

‎06-11-2018 12:25 AM

TAC doesn't advise officially about recommended SW version.
Syntax wise there're minor updates that can be found in the Release Notes.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card