04-20-2017 03:42 PM - edited 03-12-2019 02:14 AM
Instead of waiting for a bug, is it better to upgrade the IOS version now to avoid the possible bugs?
Cisco Adaptive Security Appliance Software Version 9.1(6)11
Device Manager Version 7.1(7)
04-21-2017 04:24 AM
Generally its best to use the Cisco-recommended release for your hardware. The very latest release may introduce not-yet-identified bugs as it has not had time to be widely deployed across different customer environments.
What appliance model are you using? If it's a legacy 5500 series then 9.1(7.x) is the highest you can go on those discontinued platforms.
04-21-2017 05:09 PM
our appliance is 5520 and 5508.
so it is ok to upgrade even if our network is stable and we don't experience any bug right now?
04-21-2017 11:21 PM
It's not just bugs that are fixed by new releases. It's also security vulnerabilities and new features that are added
Your 5520 is end of sales and no new features are being added to it any more. The current recommended release is 9.1(7.16):
https://software.cisco.com/download/release.html?mdfid=279916878&softwareid=280775065&release=8.4.4.ED
The 5508 is newer and can run later and better versions of software. Currently no particular release is Cisco-recommended but I'd advise choosing from among the most recent ones in this listing:
https://software.cisco.com/download/release.html?mdfid=286285773&softwareid=280775065&release=9.7.1&relind=AVAILABLE&rellifecycle=&reltype=latest
With the newer ASAs there's currently one particular bug (CSCvd78303) that you need to be careful to avoid:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd78303
04-22-2017 02:27 AM
Based on the documents.
Conditions:
This is seen when the ASA's uptime reaches 213 days.
This problem affects ASA and FTD versions:
ASA version 9.1 releases 9.1(7)8 and higher
ASA version 9.2 releases 9.2(4)15 and higher
ASA version 9.4 releases 9.4(3)5 and higher including 9.4(4)
ASA version 9.5 releases 9.5(3) and higher
ASA version 9.6 releases 9.6(2)1 and higher including 9.6(3)
ASA version 9.7 releases 9.7(1) and higher
What if we don't want to upgrade our firewall. so that we're not able to hit the bug CSCvd78303?
is this version 9.1(6)11 is stable?
04-22-2017 04:21 AM
You can continue to run 9.1(6.11) for many years as long as you don't need to use any of the newer features and security that are offered by the newer hardware and software.
Only you and your management can say whether that's an acceptable risk for your environment. Most security professionals would advise that is isn't; but it's your organization's decision in the end.
04-23-2017 10:29 PM
Hello Marvin,
Thanks for the information. I would like to know what is the new feature for 9.1.7(16)?
04-23-2017 10:48 PM
All Cisco software versions have associated release notes. For the few things introduced between 9.1(6) and 9.1(7) maintenance releases, please refer here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-789421
Within the 9.1(7) maintenance release there have been multiple interim releases. The notes for them are generally linked on the downloads page:
https://software.cisco.com/download/release.html?mdfid=279916878&flowid=4374&softwareid=280775065&release=9.1.7%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest
Specifically here are the release notes for 9.1(7.16) interim release:
http://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html
Interim releases are strictly for bug fixes and do not introduce new features
You can can similarly see on the parent pages of the minor release notes all of the later releases for 5500-X series models. As I noted, the end of sales 5500 series (including your 5520) is not supported beyond 9.1(x).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: