Upgrade ASA-X to 9.14

Dieselboy · April 27, 2021, 09:50:27 PM

I updated ASA-X from 9.8(4) to 9.12(4) and SSLVPN stopped functioning.

Has anyone done this upgrade or found something similar? The upgrade guide mentions 9.15 needing to support newer cyphers and a change in config is required https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html

KDog · May 03, 2021, 08:04:31 PM

Haven't found this specific issue but is it a compatibility issue with the level of hardware/firmware combination?

For instance you can't update ASA-5506X above ASA9.9(x) if you want FirePower services to function.

I'm guessing that if the cypher's have changed then you would need to build a new cryptomap, or make sure old cypher's aren't enabled.

Dieselboy · May 05, 2021, 12:43:53 AM

Hi KDog,

where does it state that firepower will no longer function on the 5506? I have a planned upgrade for this and didnt see such info

I think it's against Australian consumer law for Cisco to do such things.

deanwebb · May 05, 2021, 08:36:39 AM

Quote from: Dieselboy on May 05, 2021, 12:43:53 AM
Hi KDog,

where does it state that firepower will no longer function on the 5506? I have a planned upgrade for this and didnt see such info
I think it's against Australian consumer law for Cisco to do such things.

Could be incompatibility with older hardware. I know that we've got older gear that while not EoL, is also not optimal for our latest version.

Otanx · May 05, 2021, 09:30:55 AM

Here is the compatibility list - https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html
I don't see anything saying 5506 can't run 9.9. I also don't see any notice about 5506 and Firepower issues. There is a note in the 9.9 release notes about bugs in 9.9 with the 5506 so it does run. It just sucks. Also 9.9.2 has EOL notice posted here - https://www.cisco.com/c/en/us/products/security/asa-firepower-services/eos-eol-notice-listing.html
I would go with 9.12 which is not posted EOL yet and is listed as having support for the 5506. Usually the even number releases are long term support. Also if the issue with 5506 above 9.9 is true Cisco is still supporting and patching 9.8. Maybe that is why 9.8 hasn't had a EOL notice posted yet. 9.10 does.

As for your 5515 we are running 9.12 without issues on 5515s, but we don't do SSL VPN.

-Otanx

KDog · May 05, 2021, 06:41:45 PM

Quote from: Dieselboy on May 05, 2021, 12:43:53 AM
Hi KDog,
where does it state that firepower will no longer function on the 5506? I have a planned upgrade for this and didnt see such info

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_59003

Scroll down to "ASA and ASA FirePOWER Module Compatibility" it clearly shows the max FP version is 6.2.3 for the 5506X and any ASA firmware above 9.9(x) isn't compatible.

Release notes:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html

"No support in 9.10(1) and later for the ASA FirePOWER module on the ASA 5506-X series and the ASA 5512-X—The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. "

Quote from: Dieselboy on May 05, 2021, 12:43:53 AM
I think it's against Australian consumer law for Cisco to do such things.

9.9(x) is still supported, so I'm not sure what laws they are breaking, if any. 9.9 (2) 85 is available and at current patch level for the latest vulnerabilities.

Dieselboy · May 05, 2021, 10:13:37 PM

Thanks will take a look, I didnt notice that.

They need to provide a fixed version of code that does not remove features in this case or provide some other alternative or $ refund if the product no longer functions for the purpose it was purchased.

Upgrade ASA-X to 9.14

Dieselboy

KDog

Dieselboy

deanwebb

Otanx

KDog

Dieselboy