Before upgrading the ASA, you should perform the following preparation:
- Check compatibility between different versions of operating systems; for example, make sure that the ASA version is compatible with the ASA Firepower module version.
- Check the upgrade path for the current version to the target version; ensure you plan for any intermediate versions required for each operating system.
- Check for guidelines and limitations that affect your intermediate and target versions, or that affect failover and clustering zero downtime upgrading.
- Download all software packages required from Cisco.com.
- Back up your configurations, especially if there is a configuration migration.
Step 1: Check current running version of ASA and ASDM.
Go to device and type command “Show version”
It will show the ASA and ASDM version as above.
You can also check available images in device itself
It will show all available images
Check on ASDM > Tools > File Management
Step 2: Check the latest release from Cisco. Always check with cisco TAC for stable version.
Note: Please always refer release notes for know errors and bug fixes.
Follow the ASA upgrade path
Need to check following:
- Any interim version requires to upgrade from current to proposed version or you can directly go to proposed version
- Any configuration migration requires or not
Note: This only require if you are going for major release changes like, 8.x to 9.x version
- ASDM version compatibility with proposed version.
Step 3: Once you finalize the target version of ASA and ASDM, download the latest images from the cisco portal.
Select a Product -> enter ASA – > Select Adaptive Security Appliances
Select product model (I’m using the ASA virtual appliances)
click on ASA software to download latest version of ASA software image.
Or click on ASA Device Manager to download ASDM image
Download the .bin file
Hover the file and copy MD5 checksum for intigrity checks in later part.Download ASDM image
Download ASDM image
Step 4: Upload images to device
Note: Please upload same image on both the devices if it is in HA mode
- Using CLI
You can upload images using the CLI, you need TFTP, FTP and HTTP server in case of if you are uploading the images using the CLI.
In privileged EXEC mode, copy the ASA software to flash memory.
Copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name
Tools > File Management > File transfer > Between > Between Local PC and Flash
to check image integrity, you can run below command
verify /md5 disk0:/image name
Compare the MD5 checksum with provided checksum. If it not matching with Cisco image checksum it means image is got corrupted, please remove the file and upload new image.
Set Boot Image
To check boot image “show running-config boot system”
To set new boot image “boot system disk0:/image name”
Set ASDM image if require
asdm image diskn:/[path/]asdm_image_name
You can only configure one ASDM image to use; in this case, you do not need to first remove the existing configuration.
ciscoasa(config)# asdm image disk0:/asdm-7141.bin
To apply new image, reload your firewall after reload you can see new image has been successfully install on this ASA firewall.