Upgrade ASA Compatibility 8.4 to 9.1

Similar Messages

• Upgrading ASA 5510 from 8.0.4 to 8.2.5

  We want to implement Netflow so want to upgrade our 5510 to 8.2.5. But have a few questions.
  This device has 64MB of flash and 256MB of DRAM. Would I need to upgrade RAM? Right now we have about 25 site to site VPNs running through this thing as well as a few remote clients. Is this enough to constitute a memory upgrade?
  Right now we are running ASDM 6.4.7. Should we upgrade to a higher version?
  And lastly, would the upgrade to 8.2.5 require the use of AnyConnect for our VPN client users? Our 5505 is on version 8.2.5 and doesn't require AnyConnect, but wanted to make sure.
  Thank you for your time.

  Hi Michael,
  The RAM upgrade is needed if you want to go to 8.3+ code. Although you might find that you are running low on RAM and that will impact your ability to run packet captures, so an upgrade doesn't hurt...
  ASDM can be upgraded seperately and does not require a reboot + new ASDM versions are backwards compatible with older ASA codes...
  http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html#wp42231
  ASA 8.0(4)
  ASDM 6.1(3) and later.Recommended: 7.1(4).
  ASA 8.2(5)
  ASDM 6.4(3) and later.Recommended: 7.1(4).
  Although the Cisco VPN Client is eol and the replacement is AnyConnect, you are not forced to go that direction in any code...
  Patrick

• Problems after upgrading ASA from 8.4.5 to 9.1.1

  Hi,
  We are having problem with behavior of nat statement after upgrading ASA. Here are results of packet tracer in our testing environment:
  object network onBK028VRRP
  host 1.1.1.111
  object network onSIEMServers
  host 1.1.1.1
  object service osSyslog
  service tcp source eq telnet
  object-group network ognBK028ClientsOutside
  network-object 10.0.0.0 255.0.0.0
  nat (inside,outside) source static onBK028VRRP onSIEMServers destination static ognBK028ClientsOutside ognBK028ClientsOutside service osSyslog osSyslog
  ASA 8.4.5
  packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   1.1.1.0         255.255.255.0   inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group IZOUTSIDE in interface outside
  access-list IZOUTSIDE extended permit tcp any any eq www
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xce99ccc8, priority=13, domain=permit, deny=false
          hits=0, user_data=0xc91bc540, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
          input_ifc=outside, output_ifc=any
  Phase: 3
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xcb53d948, priority=0, domain=inspect-ip-options, deny=true
          hits=42, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=outside, output_ifc=any
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  in  id=0xcb561758, priority=0, domain=inspect-ip-options, deny=true
          hits=40, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=inside, output_ifc=any
  Phase: 5
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 43, packet dispatched to next module
  Module information for forward flow ...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_tcp_normalizer
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat
  Module information for reverse flow ...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_tcp_normalizer
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat 
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: allow
  ASA 9.1.1
  packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   1.1.1.0         255.255.255.0   inside
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (no-route) No route to host
  Which option change this?
  BR,  M.

  Looks like you are hitting the following bug: CSCud64705
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud64705

• Zero downtime Upgrade ASA 8.0(4) TO 8.4(7)

  Hi All,
  I checked a few blogs and upgrading ASA 5520 from 8.0(4) to 8.4(7) following below path. I will be upgrading  RAM to 2GB at version 8.2.5. Reason for 8.4.6 is we may get an error message ""No Cfg structure found in downloaded image file" Error Message" if we upgrade directly to 8.4.7.
  Please advise if we can perform Zero downtime upgrade if I follow below path and will they still be in HA? Active/standby
  8.0.4-->8.2.5 (Active on 8.0.4 and standby 8.2.5)--> Will they be in HA?
  8.2.5--->8.4.6(Active on 8.2.5 and standby 8.4.6)--> Will they be in HA?
  I believe below one should not be a problem.
  8.4.6-->8.4.7(Active on 8.4.6 and standby 8.4.7)--> Will they be in HA?
  Thanks in advance.
  Regards

  8.0.4-->8.2.5 (Active on 8.0.4 and standby 8.2.5)--> Will they be in HA?
  HA will work...as in the units will failover.  But due to changes in configuration syntax you could run into problems with config synchronisation. And could also cause issues in traffic flow if a failover occurs.  So it is best to upgrade the second ASA to the new version ASAP.  It is also the reason cisco recommend using the same Major and Minor software versions.
  8.2.5--->8.4.6(Active on 8.2.5 and standby 8.4.6)--> Will they be in HA?
  Same as above.
  8.4.6-->8.4.7(Active on 8.4.6 and standby 8.4.7)--> Will they be in HA?
  This should be fine
  Please remember to select a correct answer and rate helpful posts

• EREC : Upgrading browser compatibility for SAP E-Recruiting

  Hi
  We are currently using E-Recruiting 603 Sp 2 (Netweaver 7), does anyone knows how to upgrade browser compatibility. Currently we are only supporting Internet Explorer and Firefox up to version 7.0 and 3.5 respectively. Does anyone how to upgrade the browser compatibility to includes the newer version of IE, Firefox, Chrome and Safari.
  Expert please help.
  Regards
  Ridzuan

  Hi Ridzuan,
  We have exactly the same problem as we currently run eRecruitment on EHP3 (Netweaver 7.00).
  With EHP3, SAP officially support IE and Firefox only. This doesn't help external job applicants who can be
  applying using any web browser. In particular Mac users tend to use Safari as its the default browser. Its not at all
  good customer service to have to tell job applicants to download and install Firefox just to be able to fill in a job application.
  When we originally implemented, eRecruitment worked fine in Safari, but currently all the drop down lists, date pickers
  and pop-up dialogs fail to render making it unusable. This is caused by a security restriction in WebKit (used by Safari and
  Chrome) blocking frame navigation.
  SAP officially support Safari as of EHP5 (which runs on Netweaver 7.02). If running via the portal you'd need Netweaver 7.2 portal or above for Safari support for the portal.
  I also found a SAP Note 1642778 " which includes "Unified rendering: Support for Safari, Chrome browser", which is
  relevant to EHP4 (Netweaver 7.01). Upgrading to EHP4 and above isn't a small step if you've done any significant customisation on the BSP Recruiter pages as these are replaced with new ABAP WebDynpro pages.
  To date I haven't seen the unified rendering corrections back ported to Netweaver 7.00 even though they were for 7.01
  and this isn't officially supported (as per the PAM as mentioned by Andy).
  See https://service.sap.com/pam
  Then look at the link in the middle of the page:
  "Browser information for: SAP NETWEAVER 7.0,  SAP EHP1 FOR SAP NETWEAVER 7.0 and  SAP EHP2 FOR SAP NETWEAVER 7.0 "
  This opens a PDF showing official support dependencies between browser versions and SAP versions and patch levels.
  EHP3=Netweaver 7.00
  EHP4=Netweaver 7 EHP1 (a.k.a. 7.01)
  EHP5=Netweaver 7 EHP2 (a.k.a 7.02)
  To see what patch level you're running log into the SAP GUI on the eRecruitment system, then select System->Status...
  from the menu. Click the detail (maginifying glass icon on the right next to Component Version). Then look at the patch
  level of the SAP_BASIS component. Compare this to the patch levels in the browser support PDF to see which versions
  to upgrade to e.g. SP24 or higher for IE9 support.
  We're currently patching our EHP3 system up to SP25 to help with IE9. Firefox 8 is working (as is Firefox 9 beta).
  Sadly Safari and Chrome still aren't working and this is the latest patch level. SP26 is mentioned but not out yet.
  Also check the browser roadmap on p17 of the browser support PDF. It makes clear they intend to support Safari and Chrome
  going forward but no timescale is given.
  George

• Problems upgrading ASA 5505 memory

  I am trying to get experience with 8.4 code on my 5505.  I purchased a Cisco 512MB memory upgrade and installed it.  It booted up once and I thought I was ok.  I then looked down and noticed that all lights were blinking on the front panel and I had no console access.
  Since I dont have smartnet on my personal 5505, calling TAC for help isnt an option.  That is why I spent extra money on Cisco memory but it looks that didnt help.  I am assuming all blinking lights isnt a good thing but I havent been able find an explanation.
  I will try reseating the memory to see if that is the problem.  I put the ASA on an anti-static mat and had it and myself properly grounded.
  If this doesnt fix it, I will return the Cisco memory to the vendor and go back to the original installed memory.  The ASA 5505 worked fine on 8.2.5.
  Would appreciate any suggestions,
  Ron

  Ronald and James,
  It has been over a month since you posted, so perhaps your issue was resolved.  I actually experienced the exact same issue with my personal ASA 5505 today following an upgrade to 512MB.  What really surprised me was James' comment that his worked for about 12 hours and stopped.  That's exactly what happened to me today.  It might have been 13 hours, but it was definitely in the ballpark.
  The first thing I did was just disconnect power and re-connect the power to see if it magically went away.  (I've never had to cycle the power on my ASA before, so I was not hopeful this would work.  In fact, I was glad it did not work, as that would concern me even more.)
  The next thing I did was disconnect everything, open the case, remove the RAM, blow out all of the dust using compressed air, and then re-install the RAM.  So far, so good, but it has only  been 15 minutes.
  I'll keep an eye on this, obviously, but I am nonetheless curious to hear more about your situations.  Were you able to resolve the problem permanently or were you unable to make the upgrade to 512MB?
  UPDATE - My ASA continued to have issues with the new RAM module.  It turned out to be a defective SIMM.  I contacted the seller and returned the defective SIMM.  They sent a new one and it works just fine.

• Upgrading ASA (5520) from 8.2(5) to 8.4(6)

  Hi All,
  I'm planing to upgrade my failover firewalls active/standby from 8.2.5 to 8.4.6. I read about the NAT and I think I'm ready for it cross fingers
  My plane is
  Upload the 8.4.6 and ASDM 7.1.3 for both firewalls then assgin the boot and ASDM image to the new files. After thaton the active firewall reload the standby and wait until its up and running (cross finger again) then force the active to be standby and reload the standby to get the new 8.4.6.
  am I right about that? or should I upgrade to 8.3.1 or 8.3.1 first ?? please if it is, can you give me the full upgarde path?
  Thanks in advance!!!

  I don't know if I'm going to answer your question.  But here is my latest experience, about year ago.  I just preformed an upgrade from 8.0.x to 8.4.4.1 on a pair of ASA 5510's in failover using CLI.  The upgrade seem to go smooth from our end,  but all connection did drop.  We followed these steps here.  NAT wasn't an issue for us. 
  Point is, there really isn't an upgrade path.  Just reload stand-by unit, make it the active unit and watch the connections.  Ours dropped don't know why.
  Don't know if that helps,
  Nick

• Advice on upgrading ASA 5510 from version 8.4(4)1

  Hello all,
  Due to an issue we need to upgrade our ASA. Cisco Support team recommended upgrading to version 8.4.7, but, as we'll upgrade, we'd like to upgrade to version 9.
  We still use Cisco VPN Client for Remote Access VPNs so I'd like your advice on which version to install on ASA.
  Would you recommend version 9.0.3? 9.1.X?
  Thanks in advance,
  Igor

  We have a pretty huge ASA and ASASM complex, and we are just about finished upgrading from an assortment of 8.4.x, 8.5.x, and 8.6.x installs to 9.1.3 on everything. There is one gotcha on some systems in that there is a file system change or some sort of bug that is fixed in 8.4.5 I think. So you _may_ have to first upgrade to a newer version (8.4.7 would work) before going to 9.1.3.
  Our Cisco team has recommended going to version 9.x, and this is supported by recent tickets I've had on our stuff still running on 8.x, as the TAC engineer often says we need to upgrade to version 9.
  Four our setup, we had some fatal bugs in 8.4.6 and 8.4.7 that kept us running 8.4.5 for a very long time on some equipment.
  Anyway, I would recommend going to 9.1.3, which is one removed from the recently recleased 9.1.4. Our AnyConnect VPN complex has been on 9.1.3 for a few months now with no issues. Be sure to read the release notes thoroughly as 9.x changes some command contexts, new features, etc.
  Graham

• Upgrading ASA 5510 IOS

  I have recently come upon a ticket that requires functionality from a later version of the ASA 5510 IOS Firmware, upon researching how to do this upgrade I got caught in a catch 22 where I am unable to dowload ASDM or the ASA software, apparantly I need a service account? I'm looking at Ciscos software download page and searching ASDM which then brings up links to two pages which are ASA and ASDM. Can anyone verify that I do need a service account or point me in the right direction to get these software components?

  Hello,
  You need Smartnet contract for the ASA. With that, you can regester on cisco website and can download necessary software. Reachout to Cisco auth reseller or your account rep for more details.
  hth
  MS

• Upgrading ASA licenses on CSM

  Hi is there anyone who knows how to upgrade an ASA license (the Security Plus License) using CSM 7.0?

  CSM does not manage device licenses, so you cannot do it in CSM.
  What you can do is use a FlexConfig to push the command "activation-key xxxx" from CSM, or use CLI to do it. It will not cause CSM problems because CSM will not see it in the config since it is not stored in there anyway.
  I hope it helps.
  PK

• Upgrading ASA 5520

  Just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I have copied the files to flash, but when I run "asdm image flash:/asdm521.bin" I get an error that it's not an image file, and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.

  Try this,
  To upgrade/install the ASDM follow the example procedure,
  ASA(config)# copy tftp flash
  Address or name of remote host [x.x.x.x]?
  Source filename [pix704.bin]? asdm-504.bin
  Destination filename [asdm-504.bin]?
  Accessing tftp://x.x.x.x/asdm-504.bin...!!!!!!!!!!!!!!!!!!!!!
  Writing file flash:/asdm-504.bin...
  5958324 bytes copied in 165.460 secs (36111 bytes/sec)
  ASA(config)#
  ASA(config)# sh flash
  Directory of flash:/
  7 -rw- 5437440 21:12:42 Nov 24 2005 pix704.bin
  11 -rw- 5919340 20:59:06 Nov 24 2005 asdm-504.bin
  13 -rw- 7017 14:00:58 Jul 22 2005 admin.cfg
  // asdm-504.bin is now copied in the flash. Now we need to set PIX to use
  // this image for loading ASDM.
  ASA(config)# asdm image flash:/asdm-504.bin
  // Last steps involve saving the running configuration to memory as we have
  // made changes to boot files and reloading the PIX.
  ASA(config)# write memory
  Building configuration...
  Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b
  4807 bytes copied in 3.20 secs (1602 bytes/sec)
  [OK]
  ASA(config)# reload
  // Once PIX comes back up, we can verify that upgradation has been successfull
  // by using "show version" command.
  Refer to the link ASDM Upgrade Procedure
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t8
  hope this helps.. all the best.. rate replies if found useful..
  Raj

• Upgrade ASA-SSM-10 via FTP

  Hi all,
  I am trying to upgrade an ASA-SSM-10 running version 5.1 software.
  I have set up an FTP server using Serv-u and can connect to it successfully.
  When I attempt to upgrade using the following command, I get the error below.
  sensor(config)# upgrade ftp://[email protected]//IPS/IPS-K9-6.0-3-E1.pkg
  The filename IPS-K9-6.0-3-E1.pkg is not a valid upgrade file type.
  Continue with upgrade? []: yes
  Error: execUpgradeSoftware : Connect failed
  I have tried 2 FTP servers and receive the same error I have tried 4 upgrade packages and receive the same error.
  Does anyone have any advice on how to fix this issue.
  Thank you
  Greg

  Your upgrade commands look correct. http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1243115
  I've had some problems with Serv-U in the past year or so. I had to switch to FileZilla to perform my last upgrade.
  http://filezilla-project.org/
  - Bob

• Windows 8 installation - Upgrade Assistant compatibility Issue - Bluetooth Win7 Suite

  Having procured an on-line download of Windows 8, from the Microsoft web site, I am a little concerned about an incompatibility identified by the Microsoft
   Upgrade Assistant; namely:-
   "Bluetooth Win7 Suite (64) - Atheros Communications"
  This incompatibility was identified after restoration of an original copy of the Windows 7 operating system, as installed by the manufacturer of my PC! (Recovered from an Acronis image).
  That is, the operating system, prior to installation of any personal software, or external hardware, or divers!
  Hence, I can only assume, that "Bluetooth Win7 Suite (64)" is a sub component of one of the original components of the computer:
  ASUS P8Z68-V LE Motherboard
  NVIDIA Quadro 600 1024MB Professional Video Card
  Intel  i7 2600K Processor (3.4 GHz - no over-clocking)
  16GB Corsair PC3-12800 1600MHz DDR3 Memory (4x4 GB sticks)
  Qty 2 Sony 24x DVD-RW drives
  Qty 2 120GB Corsair Force 3 SSD (No Raid)
  Qty 1 1000GB 7200 HDD
  Onboard High Definition Audio
  My plan was to perform a clean installation of Windows 8, but I have no understanding what the implications of this incompatibility will be!
  Namely, what the function of  Bluetooth Win7 Suite (64), is! And what hardware it is associated with!
  Whether a clean installation will work, without  Bluetooth Win7 Suite (64)
  Whether Windows 8 install will have onboard drivers, for all of the above hardware!
  After installation of Windows 8, and installation of the manufactures latest drivers, for the Motherboard and Video Card, will I have to search elsewhere 
  for a driver for the Bluetooth Win7 Suite (64)
  I would appreciate any advice on this matter!
  Brian

  Hi,
  Based on my research, it seems that Bluetooth Win7 Suite (64) is a program developed by Atheros Communications.
  So, do you have any Bluetooth device? Did you install it?
  Please also check if it lists in Programs and Features.
  However, if you do not have any Bluetooth device or you do not use this program, in my opinion, it will not affect the installation of Windows 8.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Upgrade ASA Software from 8.3.2 to 8.4.3

  Hi,
  does anybody did an Upgrade from an 8.3 version to the new version 8.4.3 and can give some hints or links to read?
  I only have a production system and nothing to test and I don' want to get a nasty surprise...
  Thanks a lot in advance

  If you're already on 8.3(2) you've already gotten past the tricky bit - the new NAT syntax and access-list object use. There are some minor changes with identity NAT in going up to 8.4(3) as described here but that's about it as far as things to watch out for.
  The TAC is quite helpful and it is a good idea to open a case proactively just to have them on hand to take a quick look at any issues that come up. The TAC security team deals with these upgrades every day and is very adept at zeroing in on the root cause of  any issues you are having and setting things straight within in few minutes.

• SL upgrade and compatibility

  I have a Mac Mini running OS X v. 10.4.10.
  1. Can I upgrade directly to Snow Leopard?
  2. Will Adobe CS 2 applications still run?

  lgonick wrote:
  Does anyone happen to know if I can run it on two computers at once?
  Almost surely not on two computers at once. You should read the license. Just occasionally I find a license that allows software to be installed on more than one computer as long it isn't used on more than one computer at the same time (it's as if they're licensing the software to a user and don't care which computer you run it on.) That's pretty rare anymore... I think you'll probably find it cannot be installed on more than one computer at a time.
  On a related note... I do like Adobe's "upgrade" policy. You generally qualify to purchase at the "upgrade" price as long as you own any prior version... they don't seem to require that you own the most recent previous version (in other words, I'm pretty sure that by owning CS2 you qualify to buy CS4 at the "upgrade" price without having owned CS3.)