Solved: Upgrade ASA 5545 with Firepower module

JamesB11 · ‎01-08-2025

Hi,

I would like to upgrade my ASA 5545 with Firepower module from version 9.12.4 to 9.14.4.

The Firepower module is running version 6.4.0.14 and is managed by FMC, which runs version 7.0.2 (build 88).

My question is:

Is ASA firmware version 9.14.4 compatible with Firepower firmware version 6.4.0.14? Where can I find information about that?

And, how should I approach the upgrade of the Firepower firmware and the ASA firmware?

FMC is also managing the following:

1 x Firepower 1010 running version 6.4.0.18
2 x Firepower 2110(HA) running version 6.4.0.14

ccieexpert · ‎01-08-2025

ASA 9.14/ASDM 7.14/Firepower 6.6 is the final version for the ASA FirePOWER module on the ASA 5525-X, 5545-X, and 5555-X.

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-classic-compatibility.html

I would suggest just replacing 5545 with a 11xx or 2100 secure firewall... your 2110 and 1100 are running really old versions. There are multiple bugs and vulnerabiltiies..

after you get rid of the 5545 you should upgrade everything else to 7.4.2 or 7.2.9. otherwise you can upgrade the asa with firepower to 6.6 and then it will support FMC 7.2.9 and you can upgrade the 21xx/11xx to 7.2.9 as well.

**Please rate as helpful if this was useful**

View solution in original post

micde123stokes · ‎01-09-2025

@JamesB11 Official Websitewrote:
Hi,
I would like to upgrade my ASA 5545 with Firepower module from version 9.12.4 to 9.14.4.
The Firepower module is running version 6.4.0.14 and is managed by FMC, which runs version 7.0.2 (build 88).

My question is:
Is ASA firmware version 9.14.4 compatible with Firepower firmware version 6.4.0.14? Where can I find information about that?
And, how should I approach the upgrade of the Firepower firmware and the ASA firmware?
FMC is also managing the following:
1 x Firepower 1010 running version 6.4.0.18
2 x Firepower 2110(HA) running version 6.4.0.14

Yes, ASA firmware version 9.14.4 is compatible with Firepower firmware 6.4.0.14. To upgrade, first, check the Cisco ASA and Firepower Compatibility Guide for compatibility between your ASA, Firepower modules, and FMC. Backup configurations for both FMC and Firepower devices, then upgrade the Firepower firmware through FMC to the latest compatible version. After the Firepower upgrade, upgrade the ASA firmware to 9.14.4. Post-upgrade, verify functionality by checking connectivity, policies, and synchronization between the ASA, Firepower modules, and FMC.

View solution in original post

ccieexpert · ‎01-08-2025

ASA 9.14/ASDM 7.14/Firepower 6.6 is the final version for the ASA FirePOWER module on the ASA 5525-X, 5545-X, and 5555-X.

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-classic-compatibility.html

I would suggest just replacing 5545 with a 11xx or 2100 secure firewall... your 2110 and 1100 are running really old versions. There are multiple bugs and vulnerabiltiies..

after you get rid of the 5545 you should upgrade everything else to 7.4.2 or 7.2.9. otherwise you can upgrade the asa with firepower to 6.6 and then it will support FMC 7.2.9 and you can upgrade the 21xx/11xx to 7.2.9 as well.

**Please rate as helpful if this was useful**

micde123stokes · ‎01-09-2025

@JamesB11 Official Websitewrote:
Hi,
I would like to upgrade my ASA 5545 with Firepower module from version 9.12.4 to 9.14.4.
The Firepower module is running version 6.4.0.14 and is managed by FMC, which runs version 7.0.2 (build 88).

My question is:
Is ASA firmware version 9.14.4 compatible with Firepower firmware version 6.4.0.14? Where can I find information about that?
And, how should I approach the upgrade of the Firepower firmware and the ASA firmware?
FMC is also managing the following:
1 x Firepower 1010 running version 6.4.0.18
2 x Firepower 2110(HA) running version 6.4.0.14

Yes, ASA firmware version 9.14.4 is compatible with Firepower firmware 6.4.0.14. To upgrade, first, check the Cisco ASA and Firepower Compatibility Guide for compatibility between your ASA, Firepower modules, and FMC. Backup configurations for both FMC and Firepower devices, then upgrade the Firepower firmware through FMC to the latest compatible version. After the Firepower upgrade, upgrade the ASA firmware to 9.14.4. Post-upgrade, verify functionality by checking connectivity, policies, and synchronization between the ASA, Firepower modules, and FMC.

Marvin Rhoads · ‎01-09-2025

I agree heartily with @ccieexpert. That set of firewalls is long overdue for some care and feeding.

JamesB11 · ‎01-14-2025

Hi all,

Thank you very much for your response.

@ccieexpert @micde123stokes @Marvin Rhoads

Hopefully we'll get some new firewalls in the near future (they've promised me that for a few years now)

I tried upgrading today, but I had a few issues:

- Was not able to login to ASDM - Fixed with changing port: http server enable xxxx

- When trying to connect to the VPN using AnyConnect, I encountered the following error: Authentication failed due to an unexpected error. We are using Azure as MFA, which is functioning correctly. However, after authentication, AnyConnect displays the mentioned error.

In the live logs, I noticed that the firewall was unable to communicate with two servers, after the MFA process (even though ping works). These servers are part of a server group used as the Authorization Server Group and as DNS in the VPN connection profile.

I tried reapplying the SAML configuration, but it didn’t resolve the issue.

When I compared the configurations, I noticed that the following commands were added to the configuration:
webvpn
enable outside
enable inside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy

I had to roll back to the old version, since i was running out of time.