Transcription of Cisco ASA Upgrade Guide
1 CiscoSecureFirewallASAU pgradeGuideFirstPublished:2010-01-01 LastModified:2023-09-07 AmericasHeadquartersCiscoSystems, West TasmanDriveSanJose,CA 95134-1706 : 408 526-4000800 553-NETS(6387)Fax:408 527-0883 2023 Cisco Systems,Inc. All rights Upgrade1 CHAPTER1 ImportantGuidelinesBeforeYou Upgrade1 ASA UpgradeGuidelines1 Version-SpecificGuidelinesand Migrations1 ClusteringGuidelines16 FailoverGuidelines19 AdditionalGuidelines20 FirepowerManagementCenterUpgradeGuidelin es20 FXOS UpgradeGuidelines20 ASA UpgradeChecklist21 Compatibility23 ASA and ASDMC ompatibilityPer Model23 ASA and to to to to ASA and Threat Defense29 RadwareDefenseProCompatibility36 ASA and ASA FirePOWERM oduleCompatibility39 SecureFirewallManagementCenterCompatibil itywith ASA FirePOWER45 UpgradePath46 ASA UpgradePath46 UpgradePath: ASA LogicalDevicesfor the Firepower4100/930053 UpgradePath: FXOS for Firepower4100/930054 UpgradePath.
2 ASA FirePOWER with ASDM54 CiscoSecureFirewallASAU pgradeGuideiiiUpgradePath: ASA FirePOWER with FMC57 UpgradePath: SecureFirewallManagementCenters59 Downloadthe Softwarefrom Software62 DownloadFXOS for the Firepower4100/930072 DownloadASA FirePOWERS oftware73 DownloadSecureFirewallManagementCenterSo ftware75 Back Up Your Configurations76 Upgradethe ASA77 CHAPTER2 Upgradethe Firepower1000/2100and SecureFirewall3100/420077 Upgradethe Firepower1000, 2100 in ApplianceMode, and SecureFirewall3100/420077 Upgradea StandaloneUnit77 Upgradean Active/StandbyFailoverPair82 Upgradean Active/ActiveFailoverPair85 Upgradean ASA Cluster(SecureFirewall3100/4200)90 Upgradethe Firepower2100 in PlatformMode95 Upgradea StandaloneUnit95 Upgradean Active/StandbyFailoverPair98 Upgradean Active/ActiveFailoverPair105 Upgradethe Firepower4100/9300113 UpgradeFXOS and an ASA StandaloneDeviceor Intra-ChassisCluster113 UpgradeFXOS and an ASA StandaloneDeviceor Intra-ChassisClusterUsing SecureFirewallChassisManager113 UpgradeFXOS and an ASA StandaloneDeviceor Intra-ChassisClusterUsing the FXOS CLI114 UpgradeFXOS and an ASA Active/StandbyFailoverPair117 UpgradeFXOS and an ASA Active/StandbyFailoverPair Using SecureFirewallChassisManager117 UpgradeFXOS and an ASA Active/StandbyFailoverPair Using the FXOS CLI119 UpgradeFXOS and an ASA Active/ActiveFailoverPair127 UpgradeFXOS and an ASA Active/ActiveFailoverPair Using
3 SecureFirewallChassisManager127 UpgradeFXOS and an ASA Active/ActiveFailoverPair Using the FXOS CLI130 UpgradeFXOS and an ASA Inter-chassisCluster138 CiscoSecureFirewallASAU pgradeGuideivContentsUpgradeFXOS and an ASA Inter-chassisClusterUsing SecureFirewallChassisManager138 UpgradeFXOS and an ASA Inter-chassisClusterUsing the FXOS CLI140 Monitorthe UpgradeProgress144 Verify the Installation144 Upgradethe ASA 5500-X,ASA Virtual, ASASM,or ISA 3000145 Upgradea StandaloneUnit146 Upgradea StandaloneUnit Using the CLI146 Upgradea StandaloneUnit from Your Local ComputerUsing ASDM148 Upgradea StandaloneUnit Using the Active/StandbyFailoverPair150 Upgradean Active/StandbyFailoverPair Using the CLI150 Upgradean Active/StandbyFailoverPair Using ASDM153 Upgradean Active/ActiveFailoverPair155 Upgradean Active/ActiveFailoverPair Using the CLI155 Upgradean Active/ActiveFailoverPair Using ASDM158 Upgradean ASA Cluster159 Upgradean ASA ClusterUsing the CLI159 Upgradean ASA ClusterUsing ASDM164 Upgradethe ASAFirePOWERM odule169 CHAPTER3 Traffic Flow and Inspection169 Upgradean ASA FirePOWERM odulewith ASDM169 Upgradethe FirepowerManagementCenter171 Upgradea
4 StandaloneSecureFirewallManagementCenter 171 UpgradeHigh AvailabilityFirepowerManagementCenters17 2 Upgradean ASA FirePOWERM odulewith FMC174 Downgradethe ASA177 CHAPTER4 Guidelinesand Limitationsfor Downgrading177 IncompatibleConfigurationRemovedAfter Downgrading179 Downgradethe Firepower1000, 2100 in ApplianceMode, SecureFirewall3100/4200179 Downgradethe Firepower2100 in PlatformMode180 Downgradethe Firepower4100/9300181 Downgradethe ISA 3000182 CiscoSecureFirewallASAU pgradeGuidevContentsCiscoSecureFirewallA SAU pgradeGuideviContentsCHAPTER1 PlanningYour UpgradeBeforeupgradingthe SecureFirewallASA, you shouldperformthe followingpreparation: Check compatibilitybetweendifferent versionsof operatingsystems;for example,make sure that theASA versionis compatiblewith the ASA FirePOWER moduleversion.
5 Checktheupgradepathforthecurrentversiont othetargetversion;ensureyouplanforanyint ermediateversionsrequiredfor each operatingsystem. Check for guidelinesand limitationsthat affect your intermediateand target versions,or that affectfailoverand clusteringzero downtimeupgrading. Downloadall softwarepackagesrequiredfrom Back up your configurations,especiallyif there is a followingtopics explainhow to upgradeyour ASA. ImportantGuidelinesBeforeYou Upgrade , on page 1 ASA UpgradeChecklist, on page 21 Compatibility, on page 23 UpgradePath, on page 46 Downloadthe Softwarefrom , on page 62 Back Up Your Configurations, on page 76 ImportantGuidelinesBeforeYou UpgradeCheck for upgradeguidelinesand limitations,and configurationmigrationsfor each Upgrade ,check for migrationsand any other MigrationsDependingon your currentversion,you might experienceone or more configurationmigrations,and have toconsiderconfigurationguidelinesfor all versionsbetweenthe startingversionand the endingversionwhenyou Guidelines (1)requires OracleJava version8u261or later Beforeyou upgradeto , besure to updateOracleJava (if used) to version8u261 or later.
6 This ,which isrequiredto upgradethe ASDML auncher. OpenJREis not Guidelines ASDM signed-imagesupportin (2) ( )and later The ASA now validateswhethertheASDM image is a Cisco digitallysigned you try to run an older ASDM image with an ASAversionwith this fix, ASDM will be blockedand the message %ERROR:Signaturenot valid for filedisk0:/<filename> ( )andlaterarebackwardscompatiblewith all ASA versions,even those withoutthis fix. (CSCwb05291, CSCwb05264) (1)upgradeissueif you enabledHTTPS/ASDM(withHTTPS authentication)and SSLon thesameinterfacewiththe sameport If you enable both SSL (webvpn>enableinterface) andHTTPS/ASDM(http)accessonthesameinterf ace,youcanaccessAnyConnectfromhttps://ip _addressand ASDM fromhttps://ip_address/admin, both on port 443.
7 However, if you also enable HTTPS authentication(aaa authenticationhttpconsole), then you must specifya different port for ASDM access startingin (1).Make sure you changethe port before you upgradeusing thehttpcommand.(CSCvz92016) ASDMU pgradeWizard Dueto ASD API migration,you must use or later to upgradeto ASA or later. BecauseASDMis backwardscompatiblewith earlier ASA versions,you canupgradeASDMto or later for any ASA Guidelines ASDM signed-imagesupportin ( ) ( )and later The ASA now this fix, ASDM will be blockedand the message %ERROR:Signaturenot valid for filedisk0:/<filename> ( )andlaterarebackwardscompatiblewith all ASA versions,even those withoutthis fix. (CSCwb05291, CSCwb05264) No supportfor ClientlessSSL VPNin (1)and later ClientlessSSLVPN isnolongersupported.
8 Webvpn The followingsubcommandsare removed: apcf java-trustpoint onscreen-keyboard port-forward portal-access-rule rewrite smart-tunnel group-policywebvpn The followingsubcommandsare removed: port-forward smart-tunnelCiscoSecureFirewallASAU pgradeGuide2 PlanningYour Guidelines ssl-clientless ASDMU pgradeWizard Dueto an internalchange,startingin March 2022 the upgradewizardwillno ( ) ( )tousethe Guidelines ASDM signed-imagesupportin ( ) ( )and later The ASA now this fix, ASDM will be blockedand the message %ERROR:Signaturenot valid for filedisk0:/<filename> ( )andlaterarebackwardscompatiblewith all ASA versions,even those withoutthis fix. (CSCwb05291, CSCwb05264) SNMPv3usersusingMD5hashingand DESencryptionare no longersupported,and the userswill be removed whenyou upgradeto (1) Be sure to changeany user configurationto highersecurityalgorithmsusing thesnmp-server usercommandbefore you Upgrade .
9 SSHhostkey actionrequired in (1) In additionto RSA, we added supportfor the EDDSAandECDSA host keys for SSH. The ASA tries to use keys in the followingorder if they exist: EDDSA,ECDSA,and then RSA. When you upgradeto (1),the ASA will fall back to using the ,werecommendthatyougeneratehigher-securi tykeysassoonaspossibleusingthecryptokey generate{eddsa|ecdsa} , if you explicitlyconfigurethe ASA to use the RSAkey with thessh key-exchangehostkey rsacommand,you must generatea key that is 2048 bits orhigher. For upgradecompatibility, the ASA will use smallerRSA host keys only when the defaulthostkey settingis used. RSA supportwill be removedin a later release. In and later, certificateswithRSAkeys are not compatiblewithECDSA ciphers Whenyouuse the ECDHE_ECDSA cipher group, configurethe trustpointwith a certificatethat containsanECDSA-capablekey.
10 Ssh versioncommandremoved in (1) Thiscommandhas been SSH version2 issupported. SAMLv1feature removed in (1) Supportfor SAMLv1was removed. No supportfor DH groups2, 5, and 24 in (1) Supporthas been removedfor the DH groups2,5, and 24 in SSL DH group dh-groupcommandhas been updatedto removethecommandoptionsgroup2,group5, Guidelines No supportin (1)and laterfor the ASA5525-X,ASA5545-X,and ASA5555-X (x) , Ciscoannouncesthe feature deprecationfor ClientlessSSLVPN effective (1) Limitedsupportwill continueon releasesprior to (1). For the Firepower 1010,invalid VLANIDs can causeproblems Beforeyou upgradeto (1), only, and (1)includesa check to make sure you are not using these IDs. For example,if theseIDs are in use after upgradinga failoverpair, the failoverpair will go into a suspendedstate.