Cisco ASA Upgrade from 7.0(8) to 8.2(1)

Similar Messages

• How to sync clock of Cisco ASA 5505 from NTP Server on internet

  Hi there!
  i've setup a site, with cisco ASA 5505. It has public ip also.
  i want to sync the clock of firewall from on ntp server on internet, or with internal domain controller that is inside LAN.
  The firewall has public IP also.
  how can i do this?
  Regards!

  Hello Lasandro,
  This should do it!
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_hostname_pw.html#wp1236530
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Cisco Ucs upgrade from 1.4(3m) to 2.1(1a)

  hi!!
  I need to do an upgrade from 1.4(3m) to 2.1(1a)!
  i've 3 chassis 5108 ( 6 fex 2104xp ) with server B200 M2 and B440 M2. i've two Fi 6120Xp in cluster mode.
  i've check the prerequisite to upgrade but i've a question about default zoning;
  iv'e brocade switch 5300 ( fw v6.4.1 ) attached to Fi 6120xp
  i've SAN configured :
  i've no other configuration under San Tab.
  The documentation says:
  "Default Zoning is Not Supported in Cisco UCS, Release 2.1(1a) Onwards.Default zoning has been deprecated from Cisco UCS, Release 2.1(1a) onwards. Cisco has not supported default zoning in Cisco UCS since Cisco UCS, Release 1.4 in April 2011. All storage connectivity that relies on default zoning in your current configuration will be lost when you upgrade to Cisco UCS, Release 2.1(1a) or a later release. We recommend that you review the Fibre Channel zoning configuration documentation carefully to prepare your migration before you upgrade to Cisco
  UCS, Release 2.1(1a) or later."
  Can i upgrade to 2.1 (

  hi!!
  I need to do an upgrade from 1.4(3m) to 2.1(1a)!
  i've 3 chassis 5108 ( 6 fex 2104xp ) with server B200 M2 and B440 M2. i've two Fi 6120Xp in cluster mode.
  i've check the prerequisite to upgrade but i've a question about default zoning;
  iv'e brocade switch 5300 ( fw v6.4.1 ) attached to Fi 6120xp
  i've SAN configured :
  i've no other configuration under San Tab.
  The documentation says:
  "Default Zoning is Not Supported in Cisco UCS, Release 2.1(1a) Onwards.Default zoning has been deprecated from Cisco UCS, Release 2.1(1a) onwards. Cisco has not supported default zoning in Cisco UCS since Cisco UCS, Release 1.4 in April 2011. All storage connectivity that relies on default zoning in your current configuration will be lost when you upgrade to Cisco UCS, Release 2.1(1a) or a later release. We recommend that you review the Fibre Channel zoning configuration documentation carefully to prepare your migration before you upgrade to Cisco
  UCS, Release 2.1(1a) or later."
  Can i upgrade to 2.1 (

• Renewed Cert on ASA, Upgraded from AnyConnect 2.5 to 3.1

  We had been running AnyConnect 2.5 against our ASA and the Cert on our ASA Expired. the 2.5 Client  (and all of the iPad Clients) had a way of saying, its cool, connect anyway if the Cert is not valid.
  I finially got around to renewing the cert on the ASA. We have an Internal CA that I renewed it against. So if the CA's Cert was not installed in your trusted Cert Store you would get an error.  Many Clients can Connect just fine with the new 3.1 client, Auto-upgrade, etc (besides it lopping off the /vpn from the connection URL)
  We have a few of the clients that cannot connect. they get an error like:
  The certificate on the secured gateway is invalid. A VPN connection will not be established
  They have the CA's Root Cert installed in their trusted Cert Store. The Cert on the ASA has the proper CN, and Expiration date, so that should not be the issue.
  When I look in the Syslog I see:
  %ASA-7-725008: SSL client outside-interface:<Client Public IP>/50088 proposes the following 8 cipher(s).
  %ASA-6-725001: Starting SSL handshake with client outside-interface:<Client Public IP>/50088 for TLSv1 session.
  %ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
  %ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags FIN ACK on interface outside-interface
  %ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
  %ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags PSH ACK on interface outside-interface
  %ASA-6-725007: SSL session with client outside-interface:<Client Public IP>/50089 terminated.
  %ASA-4-113019: Group = SSL-VPN, Username = <userID>, IP = <Client Public IP>, Session disconnected. Session Type: SSL, Duration: 0h:00m:31s, Bytes xmt: 9787, Bytes rcv: 3991, Reason: User Requested
  %ASA-6-716002: Group #%cLt#%SSLVPNGrpPolicy> User #%cLt#%<UserID>> IP #%cLt#%<Client Public IP>> WebVPN session terminated: User Requested.
  %ASA-6-725002: Device completed SSL handshake with client outside-interface:<Client Public IP>/50089
  The other Interesting thing is in ADSM when I monitor the VPN Connections, All of the Trouble users show up in the "Clientless SSL VPN/Clientless" Section, where as the users that work fine are all in the "SSL VPN Client/WithClient" section. Though all of the ones in the
  "SSL VPN Client/WithClient" section have 'Clientless SSL-Tunnel DTLS-Tunnel' as the Protocol.
  We have completely removed AnyConnect and Manually installed the Client.
  We have connected to the ASA's SSLVPN URL and had it install the Client.
  All the same result. It Connects, Asks for a Username/Password, Displayes the Warning Banner to accept, checks for pgrads, then on the Establishing VPN comes up with the Server's Certificate is invalid.
  Is this a NAT/PAT issue on the remote end?
  Any Suggestions for these guys?
  Thank you,
     Scott<-

  AnyConnect 3.1 is a significant upgrade, even over 3.0.
  Over 3.0 it adds an enhanced GUI (common between Windows and Mac), NAM enhancement, crypto suite B enhancements, HostScan/Posture performance enhancements, IPv6 support, better untrusted certificate handling, plug-in component tiles, etc.
  3.0+ offers IPSec VPN client as opposed to SSL VPN.

• Cisco 1252 upgrade from standalone autonomous to LWAPP

  Hi All,
  Can somebody please guide me through the process of upgrading Cisco 1252 access point from Autonomous to Light Weight
  iam attaching show version log which gives information about current IOS
  on the access point & its in standalone mode now.
  Any help would be greatly appreciated.
  Cheers,
  Satish

  Hi Satish,
  These two great threads discuss the methods to make this conversion;
  From Steve, Leo and Charles;
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=General&topicID=.ee6e8b8&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2c5c3/0
  From Scott and Steve;
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Getting%20Started%20with%20Wireless&topicID=.ee7c7c3&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2fd83/0
  Hope this helps!
  Rob

• Moving Cisco ASA interfaces from gigabit to tengigabit

  Hi All,
  I need to confirm, if the only way to move from interfaces gi0/x to ten0/x is:
  1) Remove the configurations on gigabit interfaces and reconfigure (copy/past) it on the new "location".
  (the new configuration will be EXACTLY the same... beside obliviously the physical interface)
  2) BTW for to do this, I will automatically erase the NAT, ssh, services policy and other configuration!
  3) Paste once again all the previously configuration.
  ---> It could work, but I would like to introduce something more "easy" without fall down in some errors to paste the configuration. (configuration is up to 60000 lines...
  Maybe I can to this using the ASDM beside the CLI? (I hate ASDM :-P )
  Any other experiences, suggestion?
  Many regards in advance.

  You have it right - the process is a bit cumbersome due to how the ASA uses nameif to assign logical names to physical interfaces. Once you "no nameif" the old interface, all the related lines in the configuration that reference it go away.
  Ideally, you can do this offline working from a complete backup (including any PSKs and SNMP community strings etc. that are normally encrypted) and just reload the configuration as a new startup-config into the box from bootup, having copied it all offline and changed the physical interface association only.

• CISCO ASA Enable DNS Lookup Problem

  I have Cisco ASA 5510 , from ASA CLI i can not resolved the hostname. ( cisco.com or google.com)
  At many form say do this.
  1. Whilst in enable mode > enter configure terminal mode, then enable DNS Lookups.
  CiscoASA#conf t
  CiscoASA(config)# dns domain-lookup Outside
  2. Then specify the external DNS Servers (Change IP addresses appropriately).
  CiscoASA(config)# dns server-group DefaultDNS
  CiscoASA(config-dns-server-group)# name-server 122.122.122.199
  CiscoASA(config-dns-server-group)# name-server 122.122.122.198
  CiscoASA(config-dns-server-group)# exit
  3. Test it by pinging a name/URL.
  CiscoASA(config)# ping www.20best.blogspot.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
  But there is no command ( dns server-group ) in my ASA
  Please tell me how to do this or any way
  My ASA is showing only
  ail-ASA# sh runn
  : Saved
  ASA Version 7.0(8)
  hostname Mail-ASA
  domain-name rawabiholding.com
  enable password QuzxIf5jNzzT5kki encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 172.16.0.94 Test-web-mail
  name 172.16.5.63 Mail-server
  name 172.16.0.40 Web-Mail
  name 172.16.0.24 MX-A
  name 172.16.0.93 Test-Mail-MX
  name 172.16.1.55 DNS-1
  name 172.16.1.17 Web-Server
  name 172.16.0.41 Helpdesk.rawabiholding.com
  name 172.16.0.98 Test-Server
  no dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 10
  ip address 82.118.161.34 255.255.255.224
  interface Ethernet0/1
  nameif LAN
  security-level 100
  ip address 172.16.1.65 255.255.252.0
  interface Ethernet0/2
  nameif inside-Mail
  security-level 100
  ip address 172.16.5.37 255.255.255.0
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  management-only
  banner exec ************* If you are not Rawabi IT Member Please logout ********
  banner login *****************   Do not open or login , if you are not allowed *
  ftp mode passive
  dns domain-lookup outside
  dns name-server 212.102.0.82
  dns name-server 212.102.0.11
  access-list outside_access_in extended permit tcp any host 82.118.161.35 eq pop3
  access-list outside_access_in extended permit tcp any host 82.118.161.35 eq smt.

  http://20best.blogspot.com
  Dear Jennifer,
  From Router-ISP, I check it is resolving the name to IP
  but from ASA 5510 not, it giving error
  Jennifer Halim wrote:Doesn't look like the DNS servers that you configured is resolving any DNS requests.I have just tried both DNS server, and it is refusing the DNS:> www.google.comServer:  ns3.shabakah.net.saAddress:  212.102.0.82*** ns3.shabakah.net.sa can't find www.google.com: Query refused> www.google.comServer:  [212.102.0.11]Address:  212.102.0.11*** [212.102.0.11] can't find www.google.com: Query refused
  http://20best.blogspot.com/2011/06/visit-to-grand-canyon-in-10-days.html

• Upgrade Cisco ASA from 8.4 to 9.1

  Hello,
  Can I upgrade ASA IOS from 8.4(1) to 9.1 without any impact to the configuration?
  I note that i have no NAT rule on my Firewall.
  ASA5510 / RAM: 1024 MB
  Thanks for your help !

  I hope that you will find this discussion of upgrade paths to be helpful.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-763574
  HTH
  Rick

• Cisco ASA 5505 - Can't Login from Public & Local IP Anymore!

  Hello,
  We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
  When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
  I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
  Any advice would be greatly appreciated. Thank you.
  UPDATE: I'm able to find the way! I need to use https to login! I'm able to download ASDM tool and login! Thanks to these resources:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
  http://cyruslab.wordpress.com/2010/09/09/how-to-download-asdm-from-asa5505-and-install-it/

  Hi Srinath,
  If that ASA5505 has factory-default configuration on it , then it probably has 192.168.1.1 ip address on the LAN side and has got dhcp server turned on to provide you ip address dynamically the moment you hook up a machine to it directly or through a switch.
  If you've access to ASDM.
  You can go the Configuration Tab>>Device Management>>Device Access and turn on the SSH & Telnet from the LAN interface because by default only HTTPS/ASDM is enabled on LAN interface.
  You will still need to generate crypto keys and create a username in order to get ssh working
  For this you can click at the TOP at TOOLS>> Command Line Interface.
  And in the box below type this
  crypto key generate rsa modulus 1024
  add a username
  username <> password <> priv 15
  and enable aaa authentication for ssh like this
  aaa authentication ssh console LOCAL
  Let me know if this helps.
  Puneet

• ASA Firewall Upgrade from 8.2,8.4, to 9.0

  Dear All ,
  we have five firewalls with the following details:
  First Firewall
  Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
      my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
  Second Firewall
  Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version
  6.2(3)  
    my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the       ASA IOS itself
  Third Firewall
  Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
    my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
  Fourth Firewall
  Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
    my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
  fifth Firewall:
  Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version 6.2(3)
    my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the       ASA IOS itself
  please help i am doing the upgrading remotely using the ASDM and i don't want to do any upgrade could result disconnectivity.
  Best regards

  Hi Basel,
  Honestly, I wouldn't suggest a direct upgrade from 8.2 to 9.0. This is a *major* upgrade. The recommended path to reach 9.0 would be from 8.2-->8.4-->9.0
  Here are the release notes for 9.0:
  http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp690047
  Per above document:
  If you are upgrading from a pre-8.3 release, see also the Cisco ASA 5500 Migration Guide to Version 8.3 and Later
  for important information about migrating your configuration.
  Once you are on 8.3/8.4 (I would suggest 8.4 as a lot of issues were fixed post 8.3 as that was a huge transition from 8.2) upgrade to 9.0 is fairly simple.
  Major part is upgrade from 8.2 to 8.4 as configuration changes and few things can be broken as a result. I would highly recommend you to check these docs before attempting an upgrade and also do it with some maintenence window so as to correct things in case they broke:
  Following doc talks about 8.3 but it is applicable to direct upgrade to 8.4 as well:
  https://supportforums.cisco.com/docs/DOC-12690
  Release notes for 8.4:
  http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
  Sourav

• ASA 5520 upgrade from 8.4.6 to 9.1.2

  Dear All,
    I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
  Below is the process :
  Upgrade an Active/Standby Failover Configuration
  Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
  Download the new software to both units, and specify the new image to           load with the boot system command.
  Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
  Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
  active#failover reload-standby
  When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
  active#no failover active
  Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
  Reload the former active unit (now the new standby unit) by entering           the reload command:
  newstandby#reload
  When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
  newstandby#failover active
  This completes the process of upgrading an Active/Standby Failover       pair.
  Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 ) 
  It is mentioned on cisco site that
  Major Release
  —You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release. 

  Hi Tushar,
  The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
  Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
  http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
  - Prateek Verma

• Advice on upgrading ASA 5510 from version 8.4(4)1

  Hello all,
  Due to an issue we need to upgrade our ASA. Cisco Support team recommended upgrading to version 8.4.7, but, as we'll upgrade, we'd like to upgrade to version 9.
  We still use Cisco VPN Client for Remote Access VPNs so I'd like your advice on which version to install on ASA.
  Would you recommend version 9.0.3? 9.1.X?
  Thanks in advance,
  Igor

  We have a pretty huge ASA and ASASM complex, and we are just about finished upgrading from an assortment of 8.4.x, 8.5.x, and 8.6.x installs to 9.1.3 on everything. There is one gotcha on some systems in that there is a file system change or some sort of bug that is fixed in 8.4.5 I think. So you _may_ have to first upgrade to a newer version (8.4.7 would work) before going to 9.1.3.
  Our Cisco team has recommended going to version 9.x, and this is supported by recent tickets I've had on our stuff still running on 8.x, as the TAC engineer often says we need to upgrade to version 9.
  Four our setup, we had some fatal bugs in 8.4.6 and 8.4.7 that kept us running 8.4.5 for a very long time on some equipment.
  Anyway, I would recommend going to 9.1.3, which is one removed from the recently recleased 9.1.4. Our AnyConnect VPN complex has been on 9.1.3 for a few months now with no issues. Be sure to read the release notes thoroughly as 9.x changes some command contexts, new features, etc.
  Graham

• Upgrading license for more context cisco asa 5580

  Hi guys:
  This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
  Upgrading the License for a Failover using ASDM (No Reload Required)
  Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
  •1.       On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.
  •2.       Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.
  •3.       Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
  •4.       Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
  •5.       Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
  •6.       Click Apply. This completes the procedure.
  link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00806b1c0f.shtml#norelasdm
  But then I checked on the cisco web page that there are some license that need to reload I see this:
  All models
  Downgrading any license (for example, going from 10 contexts to 2 contexts).
  Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
  link: https://www.cisco.com/en/US/docs/security/asa/asa81/license/license81.html
  So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
  Regards

  No reload is required when you are upgrading from 5 to 10 security context license.
  Reload is only required on the following feature:
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1361750
  Hope this helps.

• Reasons to upgrade cisco ASA

    HI
  I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.
  My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?
  Thanks
  A.

  Ammar,
  Each version has Release Notes. For the ASA they are all posted here.
  In each Release Note there is a "Resolved Caveats" sections. That is where the fixes for all problems - vulnerabilities as well as functions/features - are listed.
  Besides higher encryption and Anyconnect client, you can also use IKE v2 (as of 8.4(1) ) which is more secure during session setup (apart from the level of encryption). You can also use identity-based features and a host of other features to further secure your remote access VPNs. On the other hand, if what you have now is meeting your needs, the only compelling reasons to upgrade are vulnerability and bug fixes (and perhaps a prettier version of ASDM that will run with the newest Java versions ).

• Cisco ASA non zero downtime upgrade

  Hello,
  with a NON zero downtime procedure upgrade all connections are lost, even nat and arp table ? here, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ha_overview.html#wp1078922, on Table 61-2 State Information I think it is only for plain failover but not for upgrade with a non zero downtime upgrade procedure.

  Assuming you have a working HA pair with stateful failover, the Cisco supported answer is that you cannot skip minor releases (i.e. going from 9.1 directly to 9.3).
  You CAN upgrade directly from 9.1(2) to 9.1(5) as that third ordinal (the number in parentheses) is known as the maintenance release level.
  See table 1-6 in the Release notes for confirmation, excerpted here:
  "You can upgrade from any maintenance release to any other maintenance release within a minor release.
  For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between."
  Note that 9.1(3) or later have some restrictions that are unique to those more recent code levels as some file system changes were put in place that requires certain prerequisites for a successful upgrade. Given that you are on 9.1(2) already that doesn't affect you in this case but it may be a consideration for other readers. Those requirements are noted just above Table 1-6 in those release notes.