It is an interesting point about the possibility that version differences might explain why the vpn tunnel details were missing. I wonder if it was some detail or all details? And I wonder if there were differences in model between the ASA on which the backup was done and the new factory ASA that might account for some things that might have been backed up but not restored.

HTH

Rick

There are always potential issues when updating software on ASA (or any other type of network device). There may be new features but that is not likely to make much impact since your older config would just not use those features. But what you do need to worry about is the possibility that the syntax for some functions may have changed. You also need to be aware that some features may have been dropped from the new version. I recently did a code upgrade on an ASA and discovered that the older version of code supported NT authentication as a way to authenticate with Windows credentials. But the new version of ASA code had dropped support for that feature. So we had a bit of a scramble when we did that code upgrade.

And those are just considerations about different code levels when applied to the same platform. If you take a config from one ASA and then restore that config to an ASA that is a different model then there is the possibility that some things may not work based on differences between models. For example SourceFire/FireSight is a hardware module in some models but is a software module in others. Or there might be differences in interfaces or other hardware attributes that might affect the restored config.

Most software updates go smoothly. But you do need to be careful because sometimes they do not.

HTH

Rick

Thanks Rick,

That's a really helpful reply!

Can the software be rolled back at all? 

Thanks !

Yes the software can be rolled back. Assuming that you have both the new version of code and the old version of code on the disk then you just change the boot system statement to point to the old version of code and reboot. Sometimes in rolling back you might need to restore part of the config. If the new version of code made changes in the config (changed syntax, or deprecated features, etc) you might need to back that out by restoring older config.

HTH

Rick

Thanks Rick,

Appreciate your help!

Normally when you do an upgrade or downgrade the ASDM does not remove the current software.

So chances are you'll be able to do a "dir disk0:" from rommon and see the existing ASA image.  So you may just be able to "boot disk0:/ asa942-k8.bin".

Once the ASA is up and running it is much easier to change things.

Thanks for that Phillip!

I had to delete a file from the flash to create room as the device gave an error of having no room.

The first thing I done out of the box was upgrade to the latest version but then realised I needed the older one. The file I deleted was the older bin file though.

I will do a disk dir and check.

Many thanks,

Simon

Hi Rick,

I have made a bit of a mess of downgrading the ASA to an older version.

My device is now stuck on Loading disk0:/ asa841-k8.bin..... I followed this https://supportforums.cisco.com/document/98421/how-upgrade-or-downgrade-ios-isr-or-similar-router

and reloaded and its' now stuck, Could you help me load the flash file so it boots ok? I have copied the older version via FTP to the Cisco device and changed the boot entry but now it won't boot. Can it be sorted via - confreg?

Many thanks,
Simon

Simon

I have not yet looked at the link that you reference but I do notice that the link is explaining about IOS routers and not about ASA. In general the approach to upgrade/downgrade would be similar but there are differences which could be part of your issue. The routers do have confreg but the ASA does not. So that is not an alternative for solving your current issue.

Can you provide us some details about what is going on? What model of ASA is it that you are attempting to downgrade? What version of code was it originally running and what version of code are you downgrading to? Was that ASA running successfully and stable before the downgrade? Or is this the new factory  ASA? Do you have a good copy of the config? How did you make that copy? (ASDM, copy running-config, more system:running-config) Was the config that you have taken from this ASA or was it taken from a different ASA?

HTH

Rick

Hi Rick,

Whoops that looks like the issue possibly. This is the factory asa that was running 9.1 but I need to downgrade to 8.4. The ASA is a 5505, at the moment the ASA will not boot and sticks on the below.

I am not worried about the config as this is the new ASA that I am trying to get the working config from another ASA to the new one but I wanted to get the versions the same as the one I was trying to get the backup from.

All I need to do is get a working bootable image on the device, can I do this from ROMMON?

Many thanks!

Hi Rick,

Before I tried to downgrade the software on the device I factory reloaded it so there was no config on the device apart from the base factory config.

I will take a look at those options this evening and I will come back to you.

Many thanks for the help!