How does it know that the new version should be used as the old asdm will be kept in the flash, just in case I get issues with the latest version?

A Cisco guy told me to keep the ASA firmware and ASDM to the same version like mine currently is, but I don't think he was right as the download of the latest ASDM will work with 8.0(3).

Just wondered what you thought?

Andy,

"boot system flash:/imagename.bin" command does set the image to be used and "asdm image flash:asdmimagename.bin" sets the ASDM image that must be used. If none is issued, firewall sets the first comaptible images for system and ASDM.

You can keep the old images of both ASDM and IOS in flash if you have enough space in flash. But as far as I know, ASDM 5.x does not work with IOS 8.x . So if you get issues with new ASDM, you also have to downgrade the IOS.

Regards

Thanks, I deleted the 5.x ASDM, so if I upgrade I will just have ASA 8.0(3) ASDm 6.0(3) and the latest ASDM 6.1(1) I think. A just keep the ASDM 6.0(3) as fallback.

Did my latest comment about keeping both the same not matter?

Ah sorry, I now got that your question was about 6.0(3) and 6.1(1) not 5.0

That cisco guy is somewhat correct. Here is the issue. As you know, ASDM is a GUI that actually sends IOS commands to device. If ASDM has a higher version than IOS, it may send commands to device when you want to enable a new feature, which are not recognized by IOS. There is a little information icon that appears next to disk image in ASDM window, I have seen rare instances when that popped up and when I clicked on it, it said "Some of the commands ASDM sent are not recognized by device"

Please have a look at following link

https://www.cisco.com/en/US/docs/security/asdm/6_1/release/notes/rn61.html

As you can see, there are some minor enhancements/corrections in ASDM 6.1 for IOS 8.0. But "new features" work with IOS 8.1.

If you still have concerns, feel free to keep both images, you can switch between images whenever you want with the asdm image command.

Thanks for finding the time to answer my questions.

I undersatand what you are saying, that error message that could pop up in the ASDM due to having a different version of ASDM, could it cause issues with the firewall or just wont make the config change?

My next challenge would be on updating the ASDM on the faulover ASA I have. I have a active/standby setup (sorry I didn't mention this), but the only way can get on the standby ASA is when I turn off the primary or just pull the failover cable, the standby then becomes the active ASA, thus enablng me to update the ASDM. Is this a normal approach to updating a standby ASA?

Thanks

It wont make the config change. Have seen rare occasions that IOS cant recognize a part of a set of commands and desired service cant function properly. I mean if a group of commands which are ready to be sent to firewall by ASDM, contains a single line that cant be recognized, every other commands will be issued despite that single command. And only that single command wont be issued.

If you have console access or ssh access to device, you can still perform IOS copy and boot image set commands (firewall is operational with standby IP address), you dont need a state change. Besides, once you upgrade the IOS of one unit, failover will be broken since failover requires same IOS versions