Upgrade ASA Compatibility 8.4 to 9.1
Hi
Does anybody knows if it is posible to have a mismatch in configuration if I upgrade from 8.4.5 to 9.1.5, this because the bug said that 8.4.7.15 and prior are vulnerable.
This bug says that 8.4.7.6 is the fix, but I can find that in the download software (8.4.7.15 is the last of this train).
The version is ASA 5540 Adaptive Security Appliance 8.4(5), Device Manager Version 6.4(9)
Thanks for your help.
Regards
I hope that you will find this discussion of upgrade paths to be helpful.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-763574
HTH
Rick
Similar Messages
-
Upgrading ASA 5510 from 8.0.4 to 8.2.5
We want to implement Netflow so want to upgrade our 5510 to 8.2.5. But have a few questions.
This device has 64MB of flash and 256MB of DRAM. Would I need to upgrade RAM? Right now we have about 25 site to site VPNs running through this thing as well as a few remote clients. Is this enough to constitute a memory upgrade?
Right now we are running ASDM 6.4.7. Should we upgrade to a higher version?
And lastly, would the upgrade to 8.2.5 require the use of AnyConnect for our VPN client users? Our 5505 is on version 8.2.5 and doesn't require AnyConnect, but wanted to make sure.
Thank you for your time.Hi Michael,
The RAM upgrade is needed if you want to go to 8.3+ code. Although you might find that you are running low on RAM and that will impact your ability to run packet captures, so an upgrade doesn't hurt...
ASDM can be upgraded seperately and does not require a reboot + new ASDM versions are backwards compatible with older ASA codes...
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html#wp42231
ASA 8.0(4)
ASDM 6.1(3) and later.Recommended: 7.1(4).
ASA 8.2(5)
ASDM 6.4(3) and later.Recommended: 7.1(4).
Although the Cisco VPN Client is eol and the replacement is AnyConnect, you are not forced to go that direction in any code...
Patrick -
Problems after upgrading ASA from 8.4.5 to 9.1.1
Hi,
We are having problem with behavior of nat statement after upgrading ASA. Here are results of packet tracer in our testing environment:
object network onBK028VRRP
host 1.1.1.111
object network onSIEMServers
host 1.1.1.1
object service osSyslog
service tcp source eq telnet
object-group network ognBK028ClientsOutside
network-object 10.0.0.0 255.0.0.0
nat (inside,outside) source static onBK028VRRP onSIEMServers destination static ognBK028ClientsOutside ognBK028ClientsOutside service osSyslog osSyslog
ASA 8.4.5
packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.1.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group IZOUTSIDE in interface outside
access-list IZOUTSIDE extended permit tcp any any eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xce99ccc8, priority=13, domain=permit, deny=false
hits=0, user_data=0xc91bc540, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb53d948, priority=0, domain=inspect-ip-options, deny=true
hits=42, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb561758, priority=0, domain=inspect-ip-options, deny=true
hits=40, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 43, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
ASA 9.1.1
packet-tracer input OUTSIDE tcp 10.1.1.1 50000 1.1.1.1 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.1.1.0 255.255.255.0 inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
Which option change this?
BR, M.Looks like you are hitting the following bug: CSCud64705
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud64705 -
Zero downtime Upgrade ASA 8.0(4) TO 8.4(7)
Hi All,
I checked a few blogs and upgrading ASA 5520 from 8.0(4) to 8.4(7) following below path. I will be upgrading RAM to 2GB at version 8.2.5. Reason for 8.4.6 is we may get an error message ""No Cfg structure found in downloaded image file" Error Message" if we upgrade directly to 8.4.7.
Please advise if we can perform Zero downtime upgrade if I follow below path and will they still be in HA? Active/standby
8.0.4-->8.2.5 (Active on 8.0.4 and standby 8.2.5)--> Will they be in HA?
8.2.5--->8.4.6(Active on 8.2.5 and standby 8.4.6)--> Will they be in HA?
I believe below one should not be a problem.
8.4.6-->8.4.7(Active on 8.4.6 and standby 8.4.7)--> Will they be in HA?
Thanks in advance.
Regards8.0.4-->8.2.5 (Active on 8.0.4 and standby 8.2.5)--> Will they be in HA?
HA will work...as in the units will failover. But due to changes in configuration syntax you could run into problems with config synchronisation. And could also cause issues in traffic flow if a failover occurs. So it is best to upgrade the second ASA to the new version ASAP. It is also the reason cisco recommend using the same Major and Minor software versions.
8.2.5--->8.4.6(Active on 8.2.5 and standby 8.4.6)--> Will they be in HA?
Same as above.
8.4.6-->8.4.7(Active on 8.4.6 and standby 8.4.7)--> Will they be in HA?
This should be fine
Please remember to select a correct answer and rate helpful posts -
EREC : Upgrading browser compatibility for SAP E-Recruiting
Hi
We are currently using E-Recruiting 603 Sp 2 (Netweaver 7), does anyone knows how to upgrade browser compatibility. Currently we are only supporting Internet Explorer and Firefox up to version 7.0 and 3.5 respectively. Does anyone how to upgrade the browser compatibility to includes the newer version of IE, Firefox, Chrome and Safari.
Expert please help.
Regards
RidzuanHi Ridzuan,
We have exactly the same problem as we currently run eRecruitment on EHP3 (Netweaver 7.00).
With EHP3, SAP officially support IE and Firefox only. This doesn't help external job applicants who can be
applying using any web browser. In particular Mac users tend to use Safari as its the default browser. Its not at all
good customer service to have to tell job applicants to download and install Firefox just to be able to fill in a job application.
When we originally implemented, eRecruitment worked fine in Safari, but currently all the drop down lists, date pickers
and pop-up dialogs fail to render making it unusable. This is caused by a security restriction in WebKit (used by Safari and
Chrome) blocking frame navigation.
SAP officially support Safari as of EHP5 (which runs on Netweaver 7.02). If running via the portal you'd need Netweaver 7.2 portal or above for Safari support for the portal.
I also found a SAP Note 1642778 " which includes "Unified rendering: Support for Safari, Chrome browser", which is
relevant to EHP4 (Netweaver 7.01). Upgrading to EHP4 and above isn't a small step if you've done any significant customisation on the BSP Recruiter pages as these are replaced with new ABAP WebDynpro pages.
To date I haven't seen the unified rendering corrections back ported to Netweaver 7.00 even though they were for 7.01
and this isn't officially supported (as per the PAM as mentioned by Andy).
See https://service.sap.com/pam
Then look at the link in the middle of the page:
"Browser information for: SAP NETWEAVER 7.0, SAP EHP1 FOR SAP NETWEAVER 7.0 and SAP EHP2 FOR SAP NETWEAVER 7.0 "
This opens a PDF showing official support dependencies between browser versions and SAP versions and patch levels.
EHP3=Netweaver 7.00
EHP4=Netweaver 7 EHP1 (a.k.a. 7.01)
EHP5=Netweaver 7 EHP2 (a.k.a 7.02)
To see what patch level you're running log into the SAP GUI on the eRecruitment system, then select System->Status...
from the menu. Click the detail (maginifying glass icon on the right next to Component Version). Then look at the patch
level of the SAP_BASIS component. Compare this to the patch levels in the browser support PDF to see which versions
to upgrade to e.g. SP24 or higher for IE9 support.
We're currently patching our EHP3 system up to SP25 to help with IE9. Firefox 8 is working (as is Firefox 9 beta).
Sadly Safari and Chrome still aren't working and this is the latest patch level. SP26 is mentioned but not out yet.
Also check the browser roadmap on p17 of the browser support PDF. It makes clear they intend to support Safari and Chrome
going forward but no timescale is given.
George -
Problems upgrading ASA 5505 memory
I am trying to get experience with 8.4 code on my 5505. I purchased a Cisco 512MB memory upgrade and installed it. It booted up once and I thought I was ok. I then looked down and noticed that all lights were blinking on the front panel and I had no console access.
Since I dont have smartnet on my personal 5505, calling TAC for help isnt an option. That is why I spent extra money on Cisco memory but it looks that didnt help. I am assuming all blinking lights isnt a good thing but I havent been able find an explanation.
I will try reseating the memory to see if that is the problem. I put the ASA on an anti-static mat and had it and myself properly grounded.
If this doesnt fix it, I will return the Cisco memory to the vendor and go back to the original installed memory. The ASA 5505 worked fine on 8.2.5.
Would appreciate any suggestions,
RonRonald and James,
It has been over a month since you posted, so perhaps your issue was resolved. I actually experienced the exact same issue with my personal ASA 5505 today following an upgrade to 512MB. What really surprised me was James' comment that his worked for about 12 hours and stopped. That's exactly what happened to me today. It might have been 13 hours, but it was definitely in the ballpark.
The first thing I did was just disconnect power and re-connect the power to see if it magically went away. (I've never had to cycle the power on my ASA before, so I was not hopeful this would work. In fact, I was glad it did not work, as that would concern me even more.)
The next thing I did was disconnect everything, open the case, remove the RAM, blow out all of the dust using compressed air, and then re-install the RAM. So far, so good, but it has only been 15 minutes.
I'll keep an eye on this, obviously, but I am nonetheless curious to hear more about your situations. Were you able to resolve the problem permanently or were you unable to make the upgrade to 512MB?
UPDATE - My ASA continued to have issues with the new RAM module. It turned out to be a defective SIMM. I contacted the seller and returned the defective SIMM. They sent a new one and it works just fine. -
Upgrading ASA (5520) from 8.2(5) to 8.4(6)
Hi All,
I'm planing to upgrade my failover firewalls active/standby from 8.2.5 to 8.4.6. I read about the NAT and I think I'm ready for it cross fingers
My plane is
Upload the 8.4.6 and ASDM 7.1.3 for both firewalls then assgin the boot and ASDM image to the new files. After thaton the active firewall reload the standby and wait until its up and running (cross finger again) then force the active to be standby and reload the standby to get the new 8.4.6.
am I right about that? or should I upgrade to 8.3.1 or 8.3.1 first ?? please if it is, can you give me the full upgarde path?
Thanks in advance!!!I don't know if I'm going to answer your question. But here is my latest experience, about year ago. I just preformed an upgrade from 8.0.x to 8.4.4.1 on a pair of ASA 5510's in failover using CLI. The upgrade seem to go smooth from our end, but all connection did drop. We followed these steps here. NAT wasn't an issue for us.
Point is, there really isn't an upgrade path. Just reload stand-by unit, make it the active unit and watch the connections. Ours dropped don't know why.
Don't know if that helps,
Nick -
Advice on upgrading ASA 5510 from version 8.4(4)1
Hello all,
Due to an issue we need to upgrade our ASA. Cisco Support team recommended upgrading to version 8.4.7, but, as we'll upgrade, we'd like to upgrade to version 9.
We still use Cisco VPN Client for Remote Access VPNs so I'd like your advice on which version to install on ASA.
Would you recommend version 9.0.3? 9.1.X?
Thanks in advance,
IgorWe have a pretty huge ASA and ASASM complex, and we are just about finished upgrading from an assortment of 8.4.x, 8.5.x, and 8.6.x installs to 9.1.3 on everything. There is one gotcha on some systems in that there is a file system change or some sort of bug that is fixed in 8.4.5 I think. So you _may_ have to first upgrade to a newer version (8.4.7 would work) before going to 9.1.3.
Our Cisco team has recommended going to version 9.x, and this is supported by recent tickets I've had on our stuff still running on 8.x, as the TAC engineer often says we need to upgrade to version 9.
Four our setup, we had some fatal bugs in 8.4.6 and 8.4.7 that kept us running 8.4.5 for a very long time on some equipment.
Anyway, I would recommend going to 9.1.3, which is one removed from the recently recleased 9.1.4. Our AnyConnect VPN complex has been on 9.1.3 for a few months now with no issues. Be sure to read the release notes thoroughly as 9.x changes some command contexts, new features, etc.
Graham -
I have recently come upon a ticket that requires functionality from a later version of the ASA 5510 IOS Firmware, upon researching how to do this upgrade I got caught in a catch 22 where I am unable to dowload ASDM or the ASA software, apparantly I need a service account? I'm looking at Ciscos software download page and searching ASDM which then brings up links to two pages which are ASA and ASDM. Can anyone verify that I do need a service account or point me in the right direction to get these software components?
Hello,
You need Smartnet contract for the ASA. With that, you can regester on cisco website and can download necessary software. Reachout to Cisco auth reseller or your account rep for more details.
hth
MS -
Hi is there anyone who knows how to upgrade an ASA license (the Security Plus License) using CSM 7.0?
CSM does not manage device licenses, so you cannot do it in CSM.
What you can do is use a FlexConfig to push the command "activation-key xxxx" from CSM, or use CLI to do it. It will not cause CSM problems because CSM will not see it in the config since it is not stored in there anyway.
I hope it helps.
PK -
Just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I have copied the files to flash, but when I run "asdm image flash:/asdm521.bin" I get an error that it's not an image file, and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.
Try this,
To upgrade/install the ASDM follow the example procedure,
ASA(config)# copy tftp flash
Address or name of remote host [x.x.x.x]?
Source filename [pix704.bin]? asdm-504.bin
Destination filename [asdm-504.bin]?
Accessing tftp://x.x.x.x/asdm-504.bin...!!!!!!!!!!!!!!!!!!!!!
Writing file flash:/asdm-504.bin...
5958324 bytes copied in 165.460 secs (36111 bytes/sec)
ASA(config)#
ASA(config)# sh flash
Directory of flash:/
7 -rw- 5437440 21:12:42 Nov 24 2005 pix704.bin
11 -rw- 5919340 20:59:06 Nov 24 2005 asdm-504.bin
13 -rw- 7017 14:00:58 Jul 22 2005 admin.cfg
// asdm-504.bin is now copied in the flash. Now we need to set PIX to use
// this image for loading ASDM.
ASA(config)# asdm image flash:/asdm-504.bin
// Last steps involve saving the running configuration to memory as we have
// made changes to boot files and reloading the PIX.
ASA(config)# write memory
Building configuration...
Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b
4807 bytes copied in 3.20 secs (1602 bytes/sec)
[OK]
ASA(config)# reload
// Once PIX comes back up, we can verify that upgradation has been successfull
// by using "show version" command.
Refer to the link ASDM Upgrade Procedure
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t8
hope this helps.. all the best.. rate replies if found useful..
Raj -
Hi all,
I am trying to upgrade an ASA-SSM-10 running version 5.1 software.
I have set up an FTP server using Serv-u and can connect to it successfully.
When I attempt to upgrade using the following command, I get the error below.
sensor(config)# upgrade ftp://[email protected]//IPS/IPS-K9-6.0-3-E1.pkg
The filename IPS-K9-6.0-3-E1.pkg is not a valid upgrade file type.
Continue with upgrade? []: yes
Error: execUpgradeSoftware : Connect failed
I have tried 2 FTP servers and receive the same error I have tried 4 upgrade packages and receive the same error.
Does anyone have any advice on how to fix this issue.
Thank you
GregYour upgrade commands look correct. http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1243115
I've had some problems with Serv-U in the past year or so. I had to switch to FileZilla to perform my last upgrade.
http://filezilla-project.org/
- Bob -
Windows 8 installation - Upgrade Assistant compatibility Issue - Bluetooth Win7 Suite
Having procured an on-line download of Windows 8, from the Microsoft web site, I am a little concerned about an incompatibility identified by the Microsoft
Upgrade Assistant; namely:-
"Bluetooth Win7 Suite (64) - Atheros Communications"
This incompatibility was identified after restoration of an original copy of the Windows 7 operating system, as installed by the manufacturer of my PC! (Recovered from an Acronis image).
That is, the operating system, prior to installation of any personal software, or external hardware, or divers!
Hence, I can only assume, that "Bluetooth Win7 Suite (64)" is a sub component of one of the original components of the computer:
ASUS P8Z68-V LE Motherboard
NVIDIA Quadro 600 1024MB Professional Video Card
Intel i7 2600K Processor (3.4 GHz - no over-clocking)
16GB Corsair PC3-12800 1600MHz DDR3 Memory (4x4 GB sticks)
Qty 2 Sony 24x DVD-RW drives
Qty 2 120GB Corsair Force 3 SSD (No Raid)
Qty 1 1000GB 7200 HDD
Onboard High Definition Audio
My plan was to perform a clean installation of Windows 8, but I have no understanding what the implications of this incompatibility will be!
Namely, what the function of Bluetooth Win7 Suite (64), is! And what hardware it is associated with!
Whether a clean installation will work, without Bluetooth Win7 Suite (64)
Whether Windows 8 install will have onboard drivers, for all of the above hardware!
After installation of Windows 8, and installation of the manufactures latest drivers, for the Motherboard and Video Card, will I have to search elsewhere
for a driver for the Bluetooth Win7 Suite (64)
I would appreciate any advice on this matter!
BrianHi,
Based on my research, it seems that Bluetooth Win7 Suite (64) is a program developed by Atheros Communications.
So, do you have any Bluetooth device? Did you install it?
Please also check if it lists in Programs and Features.
However, if you do not have any Bluetooth device or you do not use this program, in my opinion, it will not affect the installation of Windows 8.
Hope this helps.
Jeremy Wu
TechNet Community Support -
Upgrade ASA Software from 8.3.2 to 8.4.3
Hi,
does anybody did an Upgrade from an 8.3 version to the new version 8.4.3 and can give some hints or links to read?
I only have a production system and nothing to test and I don' want to get a nasty surprise...
Thanks a lot in advanceIf you're already on 8.3(2) you've already gotten past the tricky bit - the new NAT syntax and access-list object use. There are some minor changes with identity NAT in going up to 8.4(3) as described here but that's about it as far as things to watch out for.
The TAC is quite helpful and it is a good idea to open a case proactively just to have them on hand to take a quick look at any issues that come up. The TAC security team deals with these upgrades every day and is very adept at zeroing in on the root cause of any issues you are having and setting things straight within in few minutes. -
I have a Mac Mini running OS X v. 10.4.10.
1. Can I upgrade directly to Snow Leopard?
2. Will Adobe CS 2 applications still run?lgonick wrote:
Does anyone happen to know if I can run it on two computers at once?
Almost surely not on two computers at once. You should read the license. Just occasionally I find a license that allows software to be installed on more than one computer as long it isn't used on more than one computer at the same time (it's as if they're licensing the software to a user and don't care which computer you run it on.) That's pretty rare anymore... I think you'll probably find it cannot be installed on more than one computer at a time.
On a related note... I do like Adobe's "upgrade" policy. You generally qualify to purchase at the "upgrade" price as long as you own any prior version... they don't seem to require that you own the most recent previous version (in other words, I'm pretty sure that by owning CS2 you qualify to buy CS4 at the "upgrade" price without having owned CS3.)
Maybe you are looking for
-
What is the differences between viewCriteria query modes?
Hello all, recently we faced a performance issue in a production application. after tracing we found that the issue was caused by setting the query mode of the view criteria to in memory. bussiness case description: when creating a new record for t
-
Importing Spreadsheets from Microsoft Works
Is there any way to import Microsoft Works spreadsheets into AppleWorks? The file extension of the files I'm trying to import is .wks. I'd rather not have to recreate these sheets if at all possible. The files were created on an old Dell PC several y
-
How to stop Lightroom from auto-adjusting RAW files
Is there a way to stop Lightroom from automatically "fixing" my RAW files? When I first load them in they look perfect (like they do on the back of my camera), but then LR auto-adjusts them to make them dull and desaturated and not at all contrasty.
-
I have been an apple lover and user since 1990 and dreamed of owning my own. I always loved the quality of the hardware and the software and the development method by listening to what their customers wanted. I eventually made my dreams come true in
-
Hi, I want clear example of both dimension and line item dimension. How it works in both the case ? How we know that no of row in dimension table and fact table without showing the records? Regards, Rajesh