Solved: Which IOS to choose for ASA upgrade

mahesh18 · ‎01-25-2014

Hi Everyone,

Current IOS on ASA is Version 8.0(5)28 and we have ASA 5510 and 5520 running in active/active and active standby modes.

i am told to upgrade the IOS on the ASA.

Need to know from experts here which IOS should i upgrade from current version so that i do not have config changes to do and that IOS should be stable

and not have vulnerabilities?

Regards

MAhesh

Jouni Forss · ‎01-25-2014

Hi Mahesh,

Well the latest software which would not cause huge changes for you would be 8.2(5). And a Interim version release of that software which contains bug fixes. I would imagine this software level to be the safest choice as its the latest version that some devices support and its been here a long time.

Anything above that would mean changing the NAT configuration format and a bit later also some minor changes to the VPN configuration format. It would also mean that you might have to upgrade the memory on the ASA units depending on how old they are. ASAs manufactured after Feb 2010 have enough memory for new software levels.

In general I find it hard to decide on any specific suitable software other than on the basis of what new features/changes/fixes I need. It doesn't always mean that the choice of software would be good as I noticed some weeks ago. We encountered reboots of one of our ASA units and opened a TAC case.

For example first we noticed that a bug prevented our upgrade directly to the new software. We then moved to the desired software through another software level. We ended up with an ASA that was unmanageable (severely degrated performance) and had to downgrade to the previous software version that we had used to jump to this software level. Well, this software level introduced some changes to the device operation which again broke part of the functionality that we needed. So we had to roll back to the original software. We then went through the changes we needed in our configuration to make it work and finally upgraded it to the desired software. Though this was during another maintanance break.

So as you can see even a software suggested to us by Cisco doesnt really guarantee anything and it makes me even less likely to suggest any softwares for anyone without saying that there is always a risk and only so much that you can do to determine if there are any risks with an update.

So I would suggest going through the realease notes for the software level you are looking for and checking if there is any bugs open that might potentially affect your environment.

You can find ASA Software Release Notes here:

http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html

Here is one Blog post about updating

https://supportforums.cisco.com/community/netpro/security/blog/2013/04/18/i-can-t-keep-up-with-all-these-cisco-security-advisories-do-i-have-to-upgrade

You can find some information about vulnerabilities here:

http://tools.cisco.com/security/center/publicationListing.x

Hope this helps

- Jouni

View solution in original post

Marvin Rhoads · ‎01-25-2014

Also note if you go beyond 8.2(x) you will likely have to upgrade the RAM on your appliances first.

By the way ASA software is not called IOS. It's just ASA (Adaptive Security Appliance) software.

View solution in original post

Jouni Forss · ‎01-25-2014

Hi Mahesh,

Well the latest software which would not cause huge changes for you would be 8.2(5). And a Interim version release of that software which contains bug fixes. I would imagine this software level to be the safest choice as its the latest version that some devices support and its been here a long time.

Anything above that would mean changing the NAT configuration format and a bit later also some minor changes to the VPN configuration format. It would also mean that you might have to upgrade the memory on the ASA units depending on how old they are. ASAs manufactured after Feb 2010 have enough memory for new software levels.

In general I find it hard to decide on any specific suitable software other than on the basis of what new features/changes/fixes I need. It doesn't always mean that the choice of software would be good as I noticed some weeks ago. We encountered reboots of one of our ASA units and opened a TAC case.

For example first we noticed that a bug prevented our upgrade directly to the new software. We then moved to the desired software through another software level. We ended up with an ASA that was unmanageable (severely degrated performance) and had to downgrade to the previous software version that we had used to jump to this software level. Well, this software level introduced some changes to the device operation which again broke part of the functionality that we needed. So we had to roll back to the original software. We then went through the changes we needed in our configuration to make it work and finally upgraded it to the desired software. Though this was during another maintanance break.

So as you can see even a software suggested to us by Cisco doesnt really guarantee anything and it makes me even less likely to suggest any softwares for anyone without saying that there is always a risk and only so much that you can do to determine if there are any risks with an update.

So I would suggest going through the realease notes for the software level you are looking for and checking if there is any bugs open that might potentially affect your environment.

You can find ASA Software Release Notes here:

http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html

Here is one Blog post about updating

https://supportforums.cisco.com/community/netpro/security/blog/2013/04/18/i-can-t-keep-up-with-all-these-cisco-security-advisories-do-i-have-to-upgrade

You can find some information about vulnerabilities here:

http://tools.cisco.com/security/center/publicationListing.x

Hope this helps

- Jouni

Marvin Rhoads · ‎01-25-2014

Also note if you go beyond 8.2(x) you will likely have to upgrade the RAM on your appliances first.

By the way ASA software is not called IOS. It's just ASA (Adaptive Security Appliance) software.