cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
984
Views
0
Helpful
7
Replies

ASA | UPGRADE

John
Level 1
Level 1

Instead of waiting for a bug, is it better to upgrade the IOS version now to avoid the possible bugs?

Cisco Adaptive Security Appliance Software Version 9.1(6)11
Device Manager Version 7.1(7)

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Generally its best to use the Cisco-recommended release for your hardware. The very latest release may introduce not-yet-identified bugs as it has not had time to be widely deployed across different customer environments. 

What appliance model are you using? If it's a legacy 5500 series then 9.1(7.x) is the highest you can go on those discontinued platforms.

our appliance is 5520 and 5508.

so it is ok to upgrade even if our network is stable and we don't experience any bug right now?

It's not just bugs that are fixed by new releases. It's also security vulnerabilities and new features that are added 

Your 5520 is end of sales and no new features are being added to it any more. The current recommended release is 9.1(7.16):

https://software.cisco.com/download/release.html?mdfid=279916878&softwareid=280775065&release=8.4.4.ED

The 5508 is newer and can run later and better versions of software. Currently no particular release is Cisco-recommended but I'd advise choosing from among the most recent ones in this listing:

https://software.cisco.com/download/release.html?mdfid=286285773&softwareid=280775065&release=9.7.1&relind=AVAILABLE&rellifecycle=&reltype=latest

With the newer ASAs there's currently one particular bug (CSCvd78303) that you need to be careful to avoid:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd78303

Based on the documents.

Conditions:
This is seen when the ASA's uptime reaches 213 days.

This problem affects ASA and FTD versions:
ASA version 9.1 releases 9.1(7)8 and higher
ASA version 9.2 releases 9.2(4)15 and higher
ASA version 9.4 releases 9.4(3)5 and higher including 9.4(4)
ASA version 9.5 releases 9.5(3) and higher
ASA version 9.6 releases 9.6(2)1 and higher including 9.6(3)
ASA version 9.7 releases 9.7(1) and higher 

What if we don't want to upgrade our firewall. so that we're not able to hit the bug CSCvd78303?

is this version 9.1(6)11 is stable?

You can continue to run 9.1(6.11) for many years as long as you don't need to use any of the newer features and security that are offered by the newer hardware and software.

Only you and your management can say whether that's an acceptable risk for your environment. Most security professionals would advise that is isn't; but it's your organization's decision in the end. 

Hello Marvin,

Thanks for the information. I would like to know what is the new feature for 9.1.7(16)?

All Cisco software versions have associated release notes. For the few things introduced between 9.1(6) and 9.1(7) maintenance releases, please refer here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-789421

Within the 9.1(7) maintenance release there have been multiple interim releases. The notes for them are generally linked on the downloads page:

https://software.cisco.com/download/release.html?mdfid=279916878&flowid=4374&softwareid=280775065&release=9.1.7%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

Specifically here are the release notes for 9.1(7.16) interim release:

http://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html

Interim releases are strictly for bug fixes and do not introduce new features  

You can can similarly see on the parent pages of the minor release notes all of the later releases for 5500-X series  models. As I noted, the end of sales 5500 series (including your 5520) is not supported beyond 9.1(x).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: