Cisco ASA Upgrade Guide

Last Modified: 2018-10-25

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2018 Cisco Systems, Inc. All rights reserved.
 CONTENTS

CHAPTER 1 Planning Your Upgrade 1

ASA Upgrade Checklist 1
Compatibility 3
ASA and ASDM Compatibility Per Model 3
ASA 9.10 to 9.5 4

ASA 9.4 to 9.3 5

ASA 9.2 to 9.1 6

ASA and ASA FirePOWER Module Compatibility 7

FMC-Device Version Compatibility 11
Firepower 4100/9300 Compatibility with the ASA or Firepower Threat Defense 12
Radware DefensePro Compatibility 15
Upgrade Path 15
ASA Upgrade Path 15
ASA FirePOWER Upgrade Path with ASDM 22
ASA FirePOWER Upgrade Path: with FMC 24
Firepower Management Center Upgrade Path 25
Firepower 4100/9300 Upgrade Path 27

Download the Software from Cisco.com 28

Download ASA Software 28
Download ASA FirePOWER Software 35
Download Firepower Management Center Software 37
Download from the FMC Updates Page 37
Firepower Management Center Upgrade Packages 38
Download Guidelines for High Availability FMCs 39
FXOS for Firepower 4100/9300 Chassis Upgrade Packages 39
Important Guidelines Before You Upgrade 40

Cisco ASA Upgrade Guide

iii
 Contents

ASA Upgrade Guidelines 40

Version-Specific Guidelines and Migrations 40
Clustering Guidelines 46
Failover Guidelines 49
Additional Guidelines 49
Firepower Management Center Upgrade Guidelines 49
FXOS Upgrade Guidelines 49
Back Up Your Configurations 50

CHAPTER 2 Upgrade the ASA Appliance or ASAv 51

Upgrade the ASA 5500-X, ASAv, ASASM, or ISA 3000 51

Upgrade a Standalone Unit 51

Upgrade a Standalone Unit Using the CLI 51
Upgrade a Standalone Unit from Your Local Computer Using ASDM 53
Upgrade a Standalone Unit Using the ASDM Cisco.com Wizard 54
Upgrade an Active/Standby Failover Pair 56
Upgrade an Active/Standby Failover Pair Using the CLI 56
Upgrade an Active/Standby Failover Pair Using ASDM 58
Upgrade an Active/Active Failover Pair 60
Upgrade an Active/Active Failover Pair Using the CLI 60
Upgrade an Active/Active Failover Pair Using ASDM 63
Upgrade an ASA Cluster 64
Upgrade an ASA Cluster Using the CLI 65
Upgrade an ASA Cluster Using ASDM 70
Upgrade the ASA on the Firepower 2100 72

Upgrade a Standalone Unit 72

Upgrade a Standalone Unit Using the Firepower Chassis Manager 72
Upgrade a Standalone Unit Using the FXOS CLI 73
Upgrade an Active/Standby Failover Pair 75
Upgrade an Active/Standby Failover Pair Using the Firepower Chassis Manager 75
Upgrade an Active/Standby Failover Pair Using the FXOS CLI 77
Upgrade an Active/Active Failover Pair 82
Upgrade an Active/Active Failover Pair Using the Firepower Chassis Manager 82
Upgrade an Active/Active Failover Pair Using the FXOS CLI 83

Cisco ASA Upgrade Guide

iv
 Contents

CHAPTER 3 Upgrade the ASA FirePOWER Module 89

ASA FirePOWER Upgrade Behavior 89
Upgrade an ASA FirePOWER Module Managed by ASDM 90
Upgrade the Firepower Management Center 91
Upgrade a Standalone FMC 92
Upgrade High Availability FMCs 93
Upgrade an ASA FirePOWER Module Managed by FMC 94

CHAPTER 4 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices 97
Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster 97
Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using Firepower Chassis
Manager 97
Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using the FXOS CLI 98
Upgrade FXOS and an ASA Active/Standby Failover Pair 102
Upgrade FXOS and an ASA Active/Standby Failover Pair Using Firepower Chassis Manager 102
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI 104
Upgrade FXOS and an ASA Active/Active Failover Pair 112
Upgrade FXOS and an ASA Active/Active Failover Pair Using Firepower Chassis Manager 112
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI 115
Upgrade FXOS and an ASA Inter-chassis Cluster 124
Upgrade FXOS and an ASA Inter-chassis Cluster Using Firepower Chassis Manager 124
Upgrade FXOS and an ASA Inter-chassis Cluster Using the FXOS CLI 126
Monitor the Upgrade Progress 131
Verify the Installation 132

Cisco ASA Upgrade Guide

v
Contents

Cisco ASA Upgrade Guide

vi
 CHAPTER 1
Planning Your Upgrade
Before upgrading the ASA, you should perform the following preparation:
• Check compatibility between different versions of operating systems; for example, make sure that the
ASA version is compatible with the ASA FirePOWER module version.
• Check the upgrade path for the current version to the target version; ensure you plan for any intermediate
versions required for each operating system.
• Check for guidelines and limitations that affect your intermediate and target versions, or that affect
failover and clustering zero downtime upgrading.
• Download all software packages required from Cisco.com.
• Back up your configurations, especially if there is a configuration migration.

The following topics explain how to upgrade your ASA.

• ASA Upgrade Checklist, on page 1
• Compatibility, on page 3
• Upgrade Path, on page 15
• Download the Software from Cisco.com, on page 28
• Important Guidelines Before You Upgrade, on page 40
• Back Up Your Configurations, on page 50

ASA Upgrade Checklist

To plan your upgrade, use this checklist.
1. ASA model (ASA Upgrade Path, on page 15): _____________________
Current ASA version (ASA Upgrade Path, on page 15): _____________________
2. Check the ASA/ASDM compatibility per model (ASA and ASDM Compatibility Per Model, on page
3).
Target ASA version: _____________________
Target ASDM version: _____________________
3. Check the upgrade path for ASA (ASA Upgrade Path, on page 15). Are there intermediate versions
required? Yes _____ No _____

Cisco ASA Upgrade Guide

1
 Planning Your Upgrade
ASA Upgrade Checklist

If yes, intermediate ASA version(s): ______________________________________________________

4. Download the target and intermediate ASA/ASDM versions (Download ASA Software, on page 28).

Note ASDM is included in the ASA for FXOS package.

5. Do you have an ASA FirePOWER module? Yes _____ No _____

If yes:
1. Current ASA FirePOWER version: _____________________
View your current version: ASDM (ASA FirePOWER Upgrade Path with ASDM, on page 22) or
Firepower Management Center (Firepower Management Center Upgrade Path, on page 25).
2. Check ASA/FirePOWER compatibility (ASA and ASA FirePOWER Module Compatibility, on page
7).
Target ASA FirePOWER version: _____________________
3. Check the upgrade path for ASA FirePOWER (ASA FirePOWER Upgrade Path with ASDM, on page
22 or ASA FirePOWER Upgrade Path: with FMC, on page 24). Are there intermediate versions
required? Yes _____ No _____
If yes, intermediate ASA FirePOWER version(s):
______________________________________________________
4. Download the target and intermediate ASA FirePOWER versions (Download ASA FirePOWER
Software, on page 35).
5. Do you manage the module using the Firepower Management Center? Yes _____ No _____
If yes:
1. Firepower Management Center model (Firepower Management Center Upgrade Path, on page
25): _____________________
Current Firepower Management Center version (Firepower Management Center Upgrade Path,
on page 25): _____________________
2. Check the upgrade path for the Firepower Management Center (Firepower Management Center
Upgrade Path, on page 25). Are there intermediate versions required? Yes _____ No _____
If yes, intermediate ASA FirePOWER version(s):
______________________________________________________
3. Check the Firepower Management Center compatibility with managed devices (FMC-Device
Version Compatibility, on page 11). Make sure you plan to upgrade the ASA FirePOWER module
in step with the Firepower Management Center upgrades.
4. Download the target and intermediate versions for the Firepower Management Center (Firepower
Management Center Upgrade Packages, on page 38).

6. Is your ASA model a Firepower 4100 or 9300? Yes _____ No _____

If yes:

Cisco ASA Upgrade Guide

2
 Planning Your Upgrade
Compatibility

1. Current FXOS version (Firepower 4100/9300 Upgrade Path , on page 27): _____________________
2. Check ASA/Firepower 4100 and 9300 compatibility (Firepower 4100/9300 Compatibility with the
ASA or Firepower Threat Defense, on page 12).
Target FXOS version: _____________________
3. Check the upgrade path for FXOS (Firepower 4100/9300 Upgrade Path , on page 27). Are there
intermediate versions required? Yes _____ No _____
If yes, intermediate FXOS versions: ______________________________________________________
Make sure you plan to upgrade the ASA in step with the FXOS upgrades to stay compatible.
Intermediate ASA versions required to stay compatible during the upgrade:
______________________________________________________
4. Download the target and intermediate FXOS version (FXOS for Firepower 4100/9300 Chassis Upgrade
Packages, on page 39).
Download the intermediate ASA versions (Download ASA Software, on page 28).
5. Do you use the Radware DefensePro decorator application? Yes _____ No _____
If yes:
1. Current DefensePro version: _____________________
2. Check ASA/FXOS/DefensePro compatibility (Radware DefensePro Compatibility, on page 15).
Target DefensePro version: _____________________
3. Download the target DefensePro version.

7. Check upgrade guidelines for each operating system.

• ASA Upgrade Guidelines, on page 40.
• ASA FirePOWER guidelines: see the FMC Upgrade Guide.
• Firepower Management Center guidelines: see the FMC Upgrade Guide.
• FXOS guidelines: see the FXOS Release Notes for each intermediate and target version.

8. Back up your configurations. See the configuration guide for each operating system for backup methods.

Compatibility
This section includes tables showing the compatibility between platforms, operating systems, and applications.

ASA and ASDM Compatibility Per Model

The following tables list ASA and ASDM compatibility for current models. For older versions and models,
see Cisco ASA Compatibility.

Cisco ASA Upgrade Guide

3
 Planning Your Upgrade
ASA 9.10 to 9.5

ASA 9.10 to 9.5

Releases in bold are the recommended versions.

Table 1: ASA and ASDM Compatibility: 9.10 to 9.5

ASA ASDM ASA Model

ASA ASA ASA ASAv ASASM ASA on ASA on ASA on ISA 3000
5506-X 5512-X 5585-X Firepower Firepower Firepower
2110 4110 9300
5506H-X 5515-X
2120 4120
5506W-X 5525-X
2130 4140
5508-X 5545-X
2140 4150
5516-X 5555-X

9.10(1) 7.10(1)+ YES YES YES YES YES YES YES YES YES

9.9(2) 7.9(2)+ YES YES YES YES YES YES YES YES YES

9.9(1) 7.9(1)+ YES YES YES YES YES YES YES YES YES

9.8(2) 7.8(2)+ YES YES YES YES YES YES YES YES YES

9.8(1.200) No — — — YES — — — — —
support

9.8(1) 7.8(1)+ YES YES YES YES YES — YES YES YES
(+ASAv50)

9.7(1.4) 7.7(1)+ YES YES YES YES YES — YES YES YES

9.6(4) 7.9(1)+ YES YES YES YES YES — YES YES YES

9.6(3.1) 7.7(1)+ YES YES YES YES YES — YES YES YES

9.6(2) 7.6(2)+ YES YES YES YES YES — YES YES YES

9.6(1) 7.6(1)+ YES YES YES YES YES — YES YES YES
(except
4150)

9.5(3.9) 7.6(2)+ YES YES YES YES YES — — — YES

9.5(2.200) 7.5(2.153)+ — — — YES — — — — —

9.5(2.2) 7.5(2)+ — — — — — — — YES —

9.5(2.1) 7.5(2)+ — — — — — — — YES —

9.5(2) 7.5(2)+ YES YES YES YES YES — — — YES

9.5(1.200) 7.5(1)+ — — — YES — — — — —

9.5(1.5) 7.5(1.112)+ YES YES YES YES YES — — — —

Cisco ASA Upgrade Guide

4
 Planning Your Upgrade
ASA 9.4 to 9.3

ASA ASDM ASA Model

ASA ASA ASA ASAv ASASM ASA on ASA on ASA on ISA 3000
5506-X 5512-X 5585-X Firepower Firepower Firepower
2110 4110 9300
5506H-X 5515-X
2120 4120
5506W-X 5525-X
2130 4140
5508-X 5545-X
2140 4150
5516-X 5555-X

9.5(1) 7.5(1)+ YES YES YES YES YES — — — —

ASA 9.4 to 9.3

Table 2: ASA and ASDM Compatibility: 9.4 to 9.3

ASA ASDM ASA Model

ASA 5506-X ASA 5512-X ASA 5585-X ASAv ASASM ASA on ISA 3000
Firepower
5506H-X 5515-X
9300
5506W-X 5525-X
5508-X 5545-X
5516-X 5555-X

9.4(4.5) 7.6(2)+ YES YES YES YES YES — —

9.4(3) 7.6(1)+ YES YES YES YES YES — —

9.4(2.146) 7.5(1.112)+ — — — — — YES —

9.4(2.145) 7.5(1.112)+ — — — — — YES —

9.4(2) 7.5(1)+ YES YES YES YES YES — —

9.4(1.225) 7.5(1)+ — — — — — — YES

9.4(1.200) 7.4(2)+ — — — YES — — —

9.4(1.152) 7.4(3)+ — — — — — YES —

9.4(1) 7.4(1)+ YES YES YES YES YES — —

9.3(3.8) 7.4(1)+ YES YES YES YES YES — —

9.3(3) 7.4(1)+ YES YES YES YES YES — —

9.3(2.200) 7.3(2)+ — — — YES — — —

Cisco ASA Upgrade Guide

5
 Planning Your Upgrade
ASA 9.2 to 9.1

ASA ASDM ASA Model

ASA 5506-X ASA 5512-X ASA 5585-X ASAv ASASM ASA on ISA 3000
Firepower
5506H-X 5515-X
9300
5506W-X 5525-X
5508-X 5545-X
5516-X 5555-X

9.3(2) 7.3(3)+ YES YES YES YES YES — —

(5506-X
only)

7.3(2)+ YES YES YES YES YES — —

(5506-X
only)

9.3(1) 7.3(1)+ — YES YES YES YES — —

ASA 9.2 to 9.1

Table 3: ASA and ASDM Compatibility: 9.2 to 9.1

ASA ASDM ASA Model

ASA 5512-X ASA 5585-X ASAv ASASM
5515-X
5525-X
5545-X
5555-X

9.2(4.5) 7.4(3)+ YES YES YES YES

9.2(4) 7.4(3)+ YES YES YES YES

9.2(3) 7.3(1.101)+ YES YES YES YES

9.2(2.4) 7.2(2)+ YES YES YES YES

9.2(1) 7.2(1)+ YES YES YES YES

9.1(7.4) 7.5(2)+ YES YES — YES

9.1(6) 7.1(7)+ YES YES — YES

9.1(5) 7.1(6)+ YES YES — YES

9.1(4) 7.1(5)+ YES YES — YES

9.1(3) 7.1(4)+ YES YES — YES

Cisco ASA Upgrade Guide

6
 Planning Your Upgrade
ASA and ASA FirePOWER Module Compatibility

ASA ASDM ASA Model

ASA 5512-X ASA 5585-X ASAv ASASM
5515-X
5525-X
5545-X
5555-X

9.1(2) 7.1(3)+ YES YES — YES

9.1(1) 7.1(1)+ YES YES — YES

ASA and ASA FirePOWER Module Compatibility

Compatibility Table
The following table shows the ASA, ASDM, and ASA FirePOWER support.

Table 4: ASA and ASA FirePOWER Compatibility

ASA ASDM Version ASA Version ASA Model

FirePOWER (for local
Version management) ASA 5508-X ASA 5515-X ASA 5585-X ISA 3000
5506-X 5512-X (See below
5516-X 5525-X
Series for SSP
5545-X notes)
5555-X

6.3.0 ASDM ASA 9.10(x) — YES — YES YES YES

7.10(1)+
ASA 9.9(x)
ASA 9.8(x)
ASA 9.7(x)
ASA 9.6(x)
ASA 9.5(2), 9.5(3)

6.2.3 ASDM ASA 9.10(x) (No YES YES YES YES YES —
7.9(2)+ 5506-X, 5512-X)
ASA 9.9(x)
ASA 9.8(x)
ASA 9.7(x)
ASA 9.6(x)
ASA 9.5(2), 9.5(3) (No
5506-X)

Cisco ASA Upgrade Guide

7
 Planning Your Upgrade
ASA and ASA FirePOWER Module Compatibility

ASA ASDM Version ASA Version ASA Model

FirePOWER (for local
Version management) ASA 5508-X ASA 5515-X ASA 5585-X ISA 3000
5506-X 5512-X (See below
5516-X 5525-X
Series for SSP
5545-X notes)
5555-X

6.2.2 ASDM ASA 9.10(x) (No YES YES YES YES YES —
7.8(2)+ 5506-X, 5512-X)
ASA 9.9(x)
ASA 9.8(x)
ASA 9.7(x)
ASA 9.6(x)
ASA 9.5(2), 9.5(3) (No
5506-X)

6.2.0 ASDM ASA 9.10(x) (No YES YES YES YES YES —
7.7(1)+ 5506-X, 5512-X)
ASA 9.9(x)
ASA 9.8(x)
ASA 9.7(x)
ASA 9.6(x)
ASA 9.5(2), 9.5(3) (No
5506-X)

6.1.0 ASDM ASA 9.10(x) (No YES YES YES YES YES —
7.6(2)+ 5506-X, 5512-X)
ASA 9.9(x)
ASA 9.8(x)
ASA 9.7(x)
ASA 9.6(x)
ASA 9.5(2), 9.5(3) (No
5506-X)

6.0.1 ASDM ASA 9.6(x) YES YES YES YES YES —

7.6(1)+ (no
ASA 9.5(1.5), 9.5(2),
ASA 9.4(x)
9.5(3)
support)
ASA 9.4(x)
Due to CSCuv91730,
we recommend that you
upgrade to 9.4(2) and
later.

Cisco ASA Upgrade Guide

8
 Planning Your Upgrade
ASA and ASA FirePOWER Module Compatibility

ASA ASDM Version ASA Version ASA Model

FirePOWER (for local
Version management) ASA 5508-X ASA 5515-X ASA 5585-X ISA 3000
5506-X 5512-X (See below
5516-X 5525-X
Series for SSP
5545-X notes)
5555-X

6.0.0 ASDM ASA 9.6(x) YES YES YES YES YES —

7.5(1.112)+
ASA 9.5(1.5), 9.5(2),
(no ASA
9.5(3)
9.4(x)
support) ASA 9.4(x)
Due to CSCuv91730,
we recommend that you
upgrade to 9.4(2) and
later.

5.4.1.7+ ASDM ASA 9.10(x) (No YES YES YES — — YES

7.5(1.112)+ 5506-X, 5512-X)
(no ASA
ASA 9.9(x)
9.4(x)
support) ASA 9.8(x)
ASA 9.7(x)
ASA 9.6(x)
ASA 9.5(2), 9.5(3)
ASA 9.4(x)
ASA 9.4(1.225) (ISA
3000 only)
ASA 9.3(2), 9.3(3) (no
5508-X or 5516-X)
Due to CSCuv91730,
we recommend that you
upgrade to 9.3(3.8) or
9.4(2) and later.

Cisco ASA Upgrade Guide

9
 Planning Your Upgrade
ASA and ASA FirePOWER Module Compatibility

ASA ASDM Version ASA Version ASA Model

FirePOWER (for local
Version management) ASA 5508-X ASA 5515-X ASA 5585-X ISA 3000
5506-X 5512-X (See below
5516-X 5525-X
Series for SSP
5545-X notes)
5555-X

5.4.1 ASDM ASA 9.10(x) (No YES YES YES — — —

7.3(3)+ 5506-X, 5512-X)
ASA 9.9(x)
ASA 9.8(x)
ASA 9.7(x)
ASA 9.6(x)
ASA 9.5(1.5), 9.5(2),
9.5(3)
ASA 9.4(x)
ASA 9.3(2), 9.3(3)
(5506-X only)
Due to CSCuv91730,
we recommend that you
upgrade to 9.3(3.8) or
9.4(2) and later.

5.4.0.2+ — ASA 9.10(x) — — YES YES YES —

ASA 9.9(x)
ASA 9.8(x)
ASA 9.7(x)
ASA 9.6(x)
ASA 9.5(1.5), 9.5(2),
9.5(3)
ASA 9.4(x)
ASA 9.3(2), 9.3(3)
Due to CSCuv91730,
we recommend that you
upgrade to 9.3(3.8) or
9.4(2) and later.

Cisco ASA Upgrade Guide

10
 Planning Your Upgrade
FMC-Device Version Compatibility

ASA ASDM Version ASA Version ASA Model

FirePOWER (for local
Version management) ASA 5508-X ASA 5515-X ASA 5585-X ISA 3000
5506-X 5512-X (See below
5516-X 5525-X
Series for SSP
5545-X notes)
5555-X

5.4.0.1 — ASA 9.2(2.4), 9.2(3), — — YES YES YES —

9.2(4)
Due to CSCuv91730,
we recommend that you
upgrade to 9.2(4.5) and
later.

5.3.1 — ASA 9.2(2.4), 9.2(3), — — YES YES YES —

9.2(4)
Due to CSCuv91730,
we recommend that you
upgrade to 9.2(4.5) and
later.

ASA 5585-X SSP Compatibility

Same level SSPs
ASA FirePOWER SSP -10, -20, -40, and -60
Requirements: Install in slot 1, with matching-level ASA SSP in slot 0
Mixed level SSPs
Support for the following combinations starts with version 5.4.0.1.
• ASA SSP-10/ASA FirePOWER SSP-40
• ASA SSP-20/ASA FirePOWER SSP-60
• ASA SSP-40/ASA FirePOWER SSP-60

Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1

Note For the SSP40/60 combination, you might see an error message that this combination is not supported. You
can ignore the message.

FMC-Device Version Compatibility

Before you upgrade the Firepower Management Center, make sure the upgraded FMC will be able to manage
its current devices. If it will not be able to, upgrade the devices first. You cannot upgrade a device past the
FMC's own major version.

Cisco ASA Upgrade Guide

11
 Planning Your Upgrade
Firepower 4100/9300 Compatibility with the ASA or Firepower Threat Defense

Note that you can patch a device without patching the FMC, and vice versa. However, we always recommend
you upgrade both. This allows you to take advantage of any new features and bug fixes.
This table lists the major FMC versions, and the major versions of devices they can manage. Find your current
major version in the first column, then read across to determine which devices you can manage.

Table 5: FMC-Device Version Compatibility

FMC Device Version

Version
6.3 6.2.3 6.2.2 6.2.1 6.2.0 6.1 6.0.1 6.0 5.4.1 5.4.0 5.3.1 5.3.0
6.3 Yes Yes Yes Yes Yes Yes — — — — — —

6.2.3 — Yes Yes Yes Yes Yes — — — — — —

6.2.2 — — Yes Yes Yes Yes — — — — — —

6.2.1 — — — Yes Yes Yes — — — — — —

6.2.0 — — — — Yes Yes — — — — — —

6.1 — — — — — Yes Yes Yes Yes* Yes* — —

6.0.1 — — — — — — Yes Yes Yes* Yes* — —

6.0 — — — — — — — Yes Yes* Yes* — —

5.4.1 — — — — — — — — Yes Yes Yes Yes

5.4.0 — — — — — — — — — Yes Yes Yes

5.3.1 — — — — — — — — — — Yes Yes

5.3.0 — — — — — — — — — — — Yes

* A device must be running at least Version 5.4.0.2/5.4.1.1 to be managed by a Version 6.0, 6.0.1, or 6.1
FMC.

Firepower 4100/9300 Compatibility with the ASA or Firepower Threat Defense

The following table lists compatibility between the ASA OS or Firepower Threat Defense OS with FXOS
and Firepower models.
The ASA and Firepower Threat Defense versions in bold are companion releases to the FXOS version; for
a given FXOS version, use the application version listed in bold. Use older compatible versions of the
application only in the context of upgrades. Note that for upgrade-compatible versions, you may be prompted
that the application version is not compatible with the new FXOS version; in this case, indicate Yes to continue
with the upgrade. You are expected to upgrade the application version as soon as possible.
The FXOS versions with (EoL) appended have reached their end of life (EoL), or end of support

Cisco ASA Upgrade Guide

12
 Planning Your Upgrade
Firepower 4100/9300 Compatibility with the ASA or Firepower Threat Defense

Note Firepower 2100 series appliances utilize FXOS only as an underlying operating system that is included in the
ASA and Firepower Threat Defense unified image bundles.

Table 6: ASA or Firepower Threat Defense, and Firepower 4100/9300 Compatibility

FXOS Version Firepower Model ASA OS Firepower Threat Defense OS

2.4(1) Firepower 4150 9.10(1) 6.3.0

Firepower 4140 9.9(2) Note FTD 6.3.0 requires
FXOS 2.4.1.214 or
Firepower 4120 9.9(1)
later.
Firepower 4110 9.8(x)
6.2.3
Firepower 9300 SM-44 9.6(3)
6.2.2
Firepower 9300 SM-36 Note 9.7(x) is not
supported. 6.2.0
Firepower 9300 SM-24
6.1.0

2.3(1) Firepower 4150 9.9(2) 6.2.3

Firepower 4140 9.9(1) 6.2.2
Firepower 4120 9.8(x) 6.2.0
Firepower 4110 9.7(x) 6.1.0

Firepower 9300 SM-44 9.6(3)

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2(2) Firepower 4150 9.8(x) 6.2.2

Firepower 4140 6.2.0
Firepower 4120
Firepower 4110

Firepower 9300 SM-44

Firepower 9300 SM-36
Firepower 9300 SM-24

Cisco ASA Upgrade Guide

13
 Planning Your Upgrade
Firepower 4100/9300 Compatibility with the ASA or Firepower Threat Defense

FXOS Version Firepower Model ASA OS Firepower Threat Defense OS

2.2(1) Firepower 4150 9.8(1) 6.2.0

Firepower 4140 9.7(x) Note 6.2.0.3 or later is
required for flow
Firepower 4120 Note 9.7(1.15) or later is
offload.
required for flow
Firepower 4110
offload.
Firepower 9300 SM-44
Firepower 9300 SM-36
Firepower 9300 SM-24

2.1(1) Firepower 4150 9.7(x) 6.2.0

Firepower 4140 9.6(2), 9.6(3) 6.1.0
Firepower 4120
Firepower 4110

Firepower 9300 SM-44

Firepower 9300 SM-36
Firepower 9300 SM-24

2.0(1) Firepower 4150 9.6(2), 9.6(3) 6.1.0

Firepower 4140 9.6(1) 6.0.1
Firepower 4120
Firepower 4110

Firepower 9300 SM-44

Firepower 9300 SM-36
Firepower 9300 SM-24

1.1(4) Firepower 4140 9.6(1) 6.0.1

Firepower 4120 9.5(2), 9.5(3)
Firepower 4110

Firepower 9300 SM-36

Firepower 9300 SM-24

1.1(3) Firepower 9300 SM-36 9.5(2), 9.5(3) —

Firepower 9300 SM-24 9.4(2)

1.1(2) Firepower 9300 SM-36 9.4(2) —

Firepower 9300 SM-24 9.4(1)

Cisco ASA Upgrade Guide

14
 Planning Your Upgrade
Radware DefensePro Compatibility

FXOS Version Firepower Model ASA OS Firepower Threat Defense OS

1.1(1) (EoL) Firepower 9300 SM-36 9.4(1) —

Firepower 9300 SM-24

Radware DefensePro Compatibility

The following table lists the Radware DefensePro and Firepower compatibility.

Table 7: Radware DefensePro Compatibility

DefensePro FXOS ASA Version Firepower Firepower Model

Version Version Threat
Defense 9300 4110 4120 4140 4150
Version

8.13.01 2.4(1) 9.10(1) 6.2.3 YES YES (No YES YES YES
ASA support
2.3(1) 9.9(1) 6.2.2
with FXOS
2.3.1)

8.10.01.17-2 2.2(2) 9.8(x) 6.2.2 YES YES (No YES YES YES
ASA
2.2(1) 9.7(1) 6.2.0
support)
2.1(1)

8.10.01.16-5 2.1(1) 9.7(1) — YES — YES YES YES

2.0(1) 9.6(2), 9.6(3)

1.1(2.32-3) 1.1(4) 9.6(1) — YES — — — —

Upgrade Path
For each operating system that you are upgrading, check the supported upgrade path. In some cases, you may
have to install interim upgrades before you can upgrade to your final version.

ASA Upgrade Path

To view your current version and model, use one of the following methods:
• CLI—Use the show version command.
• ASDM—Choose Home > Device Dashboard > Device Information.

See the following table for the upgrade path for your version. Some older versions require an intermediate
upgrade before you can upgrade to a newer version. Recommended versions are in bold.

Cisco ASA Upgrade Guide

15
 Planning Your Upgrade
ASA Upgrade Path

Current Version Interim Upgrade Version Target Version

9.9(x) — Any of the following:

→ 9.10(x)
→ 9.9(x)

9.8(x) — Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)

9.7(x) — Any of the following:

→ 9.9(x)
→ 9.8(x)
→ 9.7(x)

9.6(x) — Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)

9.5(x) — Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)

Cisco ASA Upgrade Guide

16
Planning Your Upgrade
ASA Upgrade Path

Current Version Interim Upgrade Version Target Version

9.4(x) — Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)

9.3(x) — Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)

9.2(x) — Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)

Cisco ASA Upgrade Guide

17
 Planning Your Upgrade
ASA Upgrade Path

Current Version Interim Upgrade Version Target Version

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), — Any of the following:

or 9.1(7.4)
→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

9.1(1) → 9.1(2) Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

Cisco ASA Upgrade Guide

18
Planning Your Upgrade
ASA Upgrade Path

Current Version Interim Upgrade Version Target Version

9.0(2), 9.0(3), or 9.0(4) — Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

9.0(1) → 9.0(2), 9.0(3), or 9.0(4) Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

Cisco ASA Upgrade Guide

19
 Planning Your Upgrade
ASA Upgrade Path

Current Version Interim Upgrade Version Target Version

8.6(1) → 9.0(2), 9.0(3), or 9.0(4) Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

8.5(1) → 9.0(2), 9.0(3), or 9.0(4) Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

Cisco ASA Upgrade Guide

20
Planning Your Upgrade
ASA Upgrade Path

Current Version Interim Upgrade Version Target Version

8.4(5+) — Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

8.4(1) through 8.4(4) Any of the following: → 9.10(x)

→ 9.0(2), 9.0(3), or 9.0(4) → 9.9(x)
→ 8.4(6) → 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

Cisco ASA Upgrade Guide

21
 Planning Your Upgrade
ASA FirePOWER Upgrade Path with ASDM

Current Version Interim Upgrade Version Target Version

8.3(x) → 8.4(6) Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

8.2(x) and earlier → 8.4(6) Any of the following:

→ 9.10(x)
→ 9.9(x)
→ 9.8(x)
→ 9.7(x)
→ 9.6(x)
→ 9.5(x)
→ 9.4(x)
→ 9.3(x)
→ 9.2(x)
→ 9.1(3), 9.1(4), 9.1(5), 9.1(6),
9.1(7.4)

ASA FirePOWER Upgrade Path with ASDM

This table provides upgrade paths for ASA FirePOWER modules, managed by ASDM. If you cannot perform
a direct upgrade from your current to the target version, your upgrade path must include intermediate versions
as noted.
View your current version in ASDM by choosing Home > ASA FirePOWER Dashboard.

Cisco ASA Upgrade Guide

22
Planning Your Upgrade
ASA FirePOWER Upgrade Path with ASDM

Note The ASA 5506-X series and the ASA 5512-X do not support the ASA FirePOWER module running ASA
9.10(1) with any Firepower version.

Note Upgrading to Version 6.0 requires a preinstallation package. For more information, see FireSIGHT System
Release Notes Version 6.0.0 Preinstallation.

Current Version Intermediate Versions Target Version

6.2.3 — To:
Last supported Firepower version → 6.3.0
for ASA 5506-X series and the
ASA 5512-X.

6.2.2 — To one of:

→ 6.3.0
→ 6.2.3

6.2.1 — —
Not supported on this platform.

6.2.0 — To one of:

→ 6.3.0
→ 6.2.3
→ 6.2.2

6.1.0 → 6.2.0 To one of:

→ 6.3.0
→ 6.2.3
→ 6.2.2

6.0.1 To: To one of:

→ 6.1.0 → 6.2.0 → 6.3.0
→ 6.2.3
→ 6.2.2

Cisco ASA Upgrade Guide

23
 Planning Your Upgrade
ASA FirePOWER Upgrade Path: with FMC

Current Version Intermediate Versions Target Version

6.0.0 To: To one of:
→ 6.0.1 → 6.1.0 → 6.2.0 → 6.3.0
→ 6.2.3
→ 6.2.2

5.4.0.2 or 5.4.1.1 To: To one of:

→ 6.0.0 → 6.0.1 → 6.1.0 → 6.2.0 → 6.3.0
→ 6.2.3
→ 6.2.2

ASA FirePOWER Upgrade Path: with FMC

This table provides upgrade paths for ASA FirePOWER modules, managed by a Firepower Management
Center. If you cannot perform a direct upgrade from your current to the target version, your upgrade path
must include intermediate versions as noted.

Note The ASA 5506-X series and the ASA 5512-X do not support the ASA FirePOWER module running ASA
9.10(1) with any Firepower version.

Note Upgrading to Version 6.0 requires a preinstallation package. For more information, see FireSIGHT System
Release Notes Version 6.0.0 Preinstallation.

Current Version Intermediate Versions Target Version

6.2.3 — To:
Last supported Firepower version → 6.3.0
for ASA 5506-X series and the
ASA 5512-X.

6.2.2 — To one of:

→ 6.3.0
→ 6.2.3

6.2.1 — —
Not supported on this platform.

Cisco ASA Upgrade Guide

24
 Planning Your Upgrade
Firepower Management Center Upgrade Path

Current Version Intermediate Versions Target Version

6.2.0 — To one of:
→ 6.3.0
→ 6.2.3
→ 6.2.2

6.1.0 — To one of:

→ 6.3.0
→ 6.2.3
→ 6.2.0

6.0.1 To: To one of:

→ 6.1.0 → 6.3.0
→ 6.2.3
→ 6.2.0

6.0.0 To: To one of:

→ 6.0.1 → 6.1.0 → 6.3.0
→ 6.2.3
→ 6.2.0

5.4.0.2 or 5.4.1.1 To: To one of:

→ 6.0.0 → 6.0.1 → 6.1 → 6.3.0
→ 6.2.3
→ 6.2.0

Firepower Management Center Upgrade Path

This table provides upgrade paths for Firepower Management Centers, including FMCv. If you cannot perform
a direct upgrade from your current to the target version, your upgrade path must include intermediate versions
as noted.

Note Upgrading to Version 6.0 and Version 6.0.1 requires a preinstallation package, as does upgrading from Version
6.2.x directly to Version 6.3 on some models.

Cisco ASA Upgrade Guide

25
 Planning Your Upgrade
Firepower Management Center Upgrade Path

Table 8: Firepower Management Center Upgrade Path

Current Version Intermediate Versions Target Version

6.2.3 — To:
→ 6.3.0

6.2.2 — To one of:

→ 6.3.0
→ 6.2.3

6.2.1 — To one of:

→ 6.3.0
→ 6.2.3
→ 6.2.2

6.2.0 — To one of:

First support for MC1000, 2500, → 6.3.0
4500.
→ 6.2.3
→ 6.2.2

6.1.0 — To one of:

First support for FMCv: KVM. → 6.3.0
→ 6.2.3
→ 6.2.0

6.0.1 To: To one of:

First support for FMCv: AWS. → 6.1.0 → 6.3.0
→ 6.2.3
→ 6.2.0

6.0.0 To: To one of:

→ 6.0.1 → 6.1.0 → 6.3.0
→ 6.2.3
→ 6.2.0

5.4.1.1 To: To one of:

→ 6.0.0 → 6.0.1 → 6.1.0 → 6.3.0
→ 6.2.3
→ 6.2.0

Cisco ASA Upgrade Guide

26
 Planning Your Upgrade
Firepower 4100/9300 Upgrade Path

Firepower 4100/9300 Upgrade Path

To view your current version and model, use one of the following methods:
• Firepower Chassis Manager—Choose Overview, and look at the Model and Version fields at the top.
• CLI—For the version, use the show version command, and look at the Package-Vers: field. For the
model, enter scope chassis 1, and then show inventory.

Upgrade to 2.3 or Later

See the following table for the upgrade path for the Firepower 4100/9300 chassis for Version 2.3 and later.
For Version 2.3 and earlier, you can upgrade directly to the target version from the current version starting
with 2.0 and later.
You might also need to upgrade the application versions for any logical devices that you have installed. After
you upgrade FXOS, check the upgrade paths for your logical devices, and perform any necessary interim
upgrades. Also pay close attention to the supported application versions for the interim (if required) and target
FXOS releases (see Firepower 4100/9300 Compatibility with the ASA or Firepower Threat Defense, on page
12).

Table 9: Upgrade to 2.3 or Later

Current Version Interim Upgrade Version Target Version

2.3(1.x) — → 2.4(1.x)

2.2(1.x) — Any of the following:

→ 2.4(1.x)
→ 2.3(1.x)

2.1(1.x) — Any of the following:

→ 2.4(1.x)
→ 2.3(1.x)

2.0(1.x) — Any of the following:

→ 2.4(1.x)
→ 2.3(1.x)

1.1(4.x) → 2.0(1.135) Any of the following:

→ 2.4(1.x)
→ 2.3(1.x)

Upgrade to 2.2 or Earlier

See the following table for the upgrade path for the Firepower 4100/9300 chassis up to Version 2.2. For
Version 2.2 and earlier, you must upgrade to all intermediate versions between the current version and the
target version.

Cisco ASA Upgrade Guide

27
 Planning Your Upgrade
Download the Software from Cisco.com

You might also need to upgrade the application versions for any logical devices that you have installed. Pay
close attention to the supported application versions for each FXOS release (see Firepower 4100/9300
Compatibility with the ASA or Firepower Threat Defense, on page 12). Then perform any necessary interim
upgrades for your logical device.
For example, when upgrading from FXOS 1.1(4) to 2.2(2) with ASA, perform the following upgrades in
order:
1. FXOS: Upgrade from 1.1(4) to 2.0(1).
2. FXOS: Upgrade from 2.0(1) to 2.1(1).
3. ASA: Upgrade from 9.6(1) to 9.7(1).
4. FXOS: Upgrade from 2.1(1) to 2.2(1).
5. FXOS: Upgrade from 2.2(1) to 2.2(2).
6. ASA: Upgrade from 9.7(1) to 9.8(1).

Table 10: Upgrade to 2.2 or Earlier

Current Version Upgrade Path

2.2(1.x) → 2.2(2.17)

2.1(1.x) → 2.2(1.63) → 2.2(2.17)

2.0(1.x) → 2.1(1.64) → 2.2(1.63) → 2.2(2.17)

1.1(4.x) → 2.0(1.135) → 2.1(1.64) → 2.2(1.63) → 2.2(2.17)

Download the Software from Cisco.com

Download all software packages from Cisco.com before you start your upgrade. Depending on the operating
system and whether you are using CLI or GUI, you should place the images on a server or on your management
computer. See each installation procedure for details on supported file locations.

Note A Cisco.com login and Cisco service contract are required.

Download ASA Software

If you are using the ASDM Upgrade Wizard, you do not have to pre-download the software. If you are manually
upgrading, for example for a failover upgrade, download the images to your local computer.
For a CLI upgrade, you can put the software on many server types, including TFTP, HTTP, and FTP. See the
copy command in the ASA command reference.
ASA software can be downloaded from Cisco.com. This table includes naming conventions and information
about ASA packages.

Cisco ASA Upgrade Guide

28
 Planning Your Upgrade
Download ASA Software

ASA Model Download Location Packages

ASA 5506-X, ASA 5508-X, http://www.cisco.com/go/asa-firepower-sw

and ASA 5516-X
ASA Software The ASA software file has a filename like
asa962-lfbff-k8.SPA.
Choose your model > Adaptive Security Appliance
(ASA) Software > version.

ASDM Software The ASDM software file has a filename like

asdm-762.bin.
Choose your model > Adaptive Security Appliance
(ASA) Device Manager > version.

REST API Software The API software file has a filename like
asa-restapi-132-lfbff-k8.SPA. To install the
Choose your model > Adaptive Security Appliance
REST API, see the API quick start guide
REST API Plugin > version.

ROMMON Software The ROMMON software file has a filename like

asa5500-firmware-1108.SPA.
Choose your model > ASA Rommon Software >
version.

ASA 5512-X through ASA http://www.cisco.com/go/asa-software

5555-X
ASA Software The ASA software file has a filename like
asa962-smp-k8.bin.
Choose your model > Software on Chassis >
Adaptive Security Appliance (ASA) Software >
version.

ASDM Software The ASDM software file has a filename like

asdm-762.bin.
Choose your model > Software on Chassis >
Adaptive Security Appliance (ASA) Device
Manager > version.

REST API Software The API software file has a filename like
asa-restapi-132-lfbff-k8.SPA. To install the
Choose your model > Software on Chassis >
REST API, see the API quick start guide
Adaptive Security Appliance REST API Plugin
> version.

ASA Device Package for Cisco Application Policy For APIC 1.2(7) and later, choose either the
Infrastructure Controller (APIC) Policy Orchestration with Fabric Insertion, or
the Fabric Insertion-only package. The device
Choose your model > Software on Chassis > ASA
package software file has a filename like
for Application Centric Infrastructure (ACI)
asa-device-pkg-1.2.7.10.zip. To install the ASA
Device Packages > version.
device package, see the “Importing a Device
Package” chapter of the Cisco APIC Layer 4 to
Layer 7 Services Deployment Guide.

Cisco ASA Upgrade Guide

29
 Planning Your Upgrade
Download ASA Software

ASA Model Download Location Packages

ASA 5585-X http://www.cisco.com/go/asa-software

ASA Software The ASA software file has a filename like

asa962-smp-k8.bin.
Choose your model > Software on Chassis >
Adaptive Security Appliance (ASA) Software >
version.

ASDM Software The ASDM software file has a filename like

asdm-762.bin.
Choose your model > Software on Chassis >
Adaptive Security Appliance (ASA) Device
Manager > version.

REST API Software The API software file has a filename like
asa-restapi-132-lfbff-k8.SPA. To install the
Choose your model > Software on Chassis >
REST API, see the API quick start guide.
Adaptive Security Appliance REST API Plugin
> version.

ASA Device Package for Cisco Application Policy For APIC 1.2(7) and later, choose either the
Infrastructure Controller (APIC) Policy Orchestration with Fabric Insertion, or
the Fabric Insertion-only package. The device
Choose your model > Software on Chassis > ASA
package software file has a filename like
for Application Centric Infrastructure (ACI)
asa-device-pkg-1.2.7.10.zip. To install the ASA
Device Packages > version.
device package, see the “Importing a Device
Package” chapter of the Cisco APIC Layer 4 to
Layer 7 Services Deployment Guide.

Cisco ASA Upgrade Guide

30
 Planning Your Upgrade
Download ASA Software

ASA Model Download Location Packages

ASAv http://www.cisco.com/go/asav-software

ASA Software (Upgrade) The ASAv upgrade file has a filename like
asa962-smp-k8.bin; use this upgrade file for all
Choose Adaptive Security Appliance (ASA)
supervisors. Note: The .zip (VMware), .vhdx
Software > version.
(Hyper-V), and .qcow2 (KVM) files are only for
initial deployment. Amazon Web Services and
Microsoft Azure provide deployment images
directly.

ASDM Software (Upgrade) The ASDM software file has a filename like
asdm-762.bin.
Choose Adaptive Security Appliance (ASA)
Device Manager > version.

REST API Software The API software file has a filename like
asa-restapi-132-lfbff-k8.SPA. To install the
Choose Adaptive Security Appliance REST API
REST API, see the API quick start guide.
Plugin > version.

ASA Device Package for Cisco Application Policy For APIC 1.2(7) and later, choose either the
Infrastructure Controller (APIC) Policy Orchestration with Fabric Insertion, or
the Fabric Insertion-only package. The device
Choose ASA for Application Centric
package software file has a filename like
Infrastructure (ACI) Device Packages > version.
asa-device-pkg-1.2.7.10.zip. To install the ASA
device package, see the “Importing a Device
Package” chapter of the Cisco APIC Layer 4 to
Layer 7 Services Deployment Guide.

Cisco ASA Upgrade Guide

31
 Planning Your Upgrade
Download ASA Software

ASA Model Download Location Packages

Firepower 2100 Series http://www.cisco.com/go/asa-firepower-sw

ASA, ASDM, and FXOS Software The ASA package includes ASA, ASDM, and
FXOS software. The ASA package has a
Choose your model > Adaptive Security Appliance
filename like cisco-asa.9.8.2.SPA.csp.
(ASA) Software > version.

ASDM Software (Upgrade) Use this image to upgrade to a later version of

ASDM using your current ASDM or the ASA
Choose your model > Adaptive Security Appliance
CLI. The ASDM software file has a filename
(ASA) Device Manager > version.
like asdm-782.bin.
Note When you upgrade the ASA bundle,
the ASDM image in the bundle
replaces the previous ASDM bundle
image on the ASA because they have
the same name (asdm.bin). But if you
manually chose a different ASDM
image that you uploaded (for
example, asdm-782.bin), then you
continue to use that image even after
a bundle upgrade. To make sure that
you are running a compatible version
of ASDM, you should either upgrade
ASDM before you upgrade the
bundle, or you should reconfigure the
ASA to use the bundled ASDM image
(asdm.bin) just before upgrading the
ASA bundle.

Cisco ASA Upgrade Guide

32
 Planning Your Upgrade
Download ASA Software

ASA Model Download Location Packages

ASA on the Firepower 4100 http://www.cisco.com/go/firepower4100-software

Series
ASA and ASDM Software The ASA package includes both ASA and
ASDM. The ASA package has a filename like
Choose your model > Adaptive Security Appliance
cisco-asa.9.6.2.SPA.csp.
(ASA) Software > version.

ASDM Software (Upgrade) Use this image to upgrade to a later version of

ASDM using your current ASDM or the ASA
Choose your model > Adaptive Security Appliance
CLI. The ASDM software file has a filename
(ASA) Device Manager > version.
like asdm-762.bin.
Note When you upgrade the ASA bundle
in FXOS, the ASDM image in the
bundle replaces the previous ASDM
bundle image on the ASA because
they have the same name (asdm.bin).
But if you manually chose a different
ASDM image that you uploaded (for
example, asdm-782.bin), then you
continue to use that image even after
a bundle upgrade. To make sure that
you are running a compatible version
of ASDM, you should either upgrade
ASDM before you upgrade the
bundle, or you should reconfigure the
ASA to use the bundled ASDM image
(asdm.bin) just before upgrading the
ASA bundle.

REST API Software The API software file has a filename like
asa-restapi-132-lfbff-k8.SPA. To install the
Choose your model > Adaptive Security Appliance
REST API, see the API quick start guide.
REST API Plugin > version.

Cisco ASA Upgrade Guide

33
 Planning Your Upgrade
Download ASA Software

ASA Model Download Location Packages

ASA on the Firepower 9300 http://www.cisco.com/go/firepower9300-software

Series
ASA and ASDM Software The ASA package includes both ASA and
ASDM. The ASA package has a filename like
Choose Adaptive Security Appliance (ASA)
cisco-asa.9.6.2.SPA.csp.
Software > version.

ASDM Software (Upgrade) Use this image to upgrade to a later version of

ASDM using your current ASDM or the ASA
Choose Adaptive Security Appliance (ASA)
CLI. The ASDM software file has a filename
Device Manager > version.
like asdm-762.bin.
Note When you upgrade the ASA bundle
in FXOS, the ASDM image in the
bundle replaces the previous ASDM
bundle image on the ASA because
they have the same name (asdm.bin).
But if you manually chose a different
ASDM image that you uploaded (for
example, asdm-782.bin), then you
continue to use that image even after
a bundle upgrade. To make sure that
you are running a compatible version
of ASDM, you should either upgrade
ASDM before you upgrade the
bundle, or you should reconfigure the
ASA to use the bundled ASDM image
(asdm.bin) just before upgrading the
ASA bundle.

REST API Software The API software file has a filename like
asa-restapi-132-lfbff-k8.SPA. To install the
Choose Adaptive Security Appliance REST API
REST API, see the API quick start guide.
Plugin > version.

ASA Services Module ASA Software The ASA software file has a filename like
asa962-smp-k8.bin.
http://www.cisco.com/go/asasm-software
Choose your version.

ASDM Software The ASDM software file has a filename like

asdm-762.bin.
http://www.cisco.com/go/asdm-software
Choose Adaptive Security Appliance (ASA)
Device Manager > version.

Cisco ASA Upgrade Guide

34
 Planning Your Upgrade
Download ASA FirePOWER Software

ASA Model Download Location Packages

ISA 3000 http://www.cisco.com/go/isa3000-software

ASA Software The ASA software file has a filename like

asa962-lfbff-k8.SPA.
Choose your model > Adaptive Security Appliance
(ASA) Software > version.

ASDM Software The ASDM software file has a filename like

asdm-762.bin.
Choose your model > Adaptive Security Appliance
(ASA) Device Manager > version.

REST API Software The API software file has a filename like
asa-restapi-132-lfbff-k8.SPA. To install the
Choose your model > Adaptive Security Appliance
REST API, see the API quick start guide.
REST API Plugin > version.

Download ASA FirePOWER Software

If you manage the ASA FirePOWER module using ASDM, download the software from Cisco.com.
If you manage the ASA FirePOWER module using the Firepower Management Center software, you can use
one of the following methods to download the software:
• For minor releases (patches and hotfixes), use the Firepower Management Center Download Updates
function on the System > Updates page, which downloads all minor upgrades for the Firepower
Management Center and the devices it is currently managing
• For major releases, download the software from Cisco.com.

This table includes naming conventions and information about ASA FirePOWER software on Cisco.com.

Cisco ASA Upgrade Guide

35
 Planning Your Upgrade
Download ASA FirePOWER Software

ASA Model Download Location Packages

ASA 5506-X, ASA 5508-X, http://www.cisco.com/go/asa-firepower-sw • Preinstallation Software—Preinstallation

and ASA 5516-X files (for some upgrades) have a name like
Choose your model > FirePOWER Services
Cisco_Network_Sensor_6.1.0_Pre-install-6.0.1.999-32.sh.
Software for ASA > version.
• Upgrade Software—Upgrade files have a
name like
Cisco_Network_Sensor_Upgrade-6.2.0-362.sh.
• Hotfix Software—Hotfix files have a name
like
Cisco_Network_Sensor_Hotfix_AF-6.1.0.2-1.sh.
• Boot image—The boot image is only used
for reimaging, and has a filename like
asasfr-5500x-boot-6.1.0-330.img.
• System software install package—The
system software install package is only used
for reimaging, and has a filename like
asasfr-sys-6.1.0-330.pkg.
• Patch files—Patch files have a name like
Cisco_Network_Sensor_Patch-6.1.0.1-53.sh.

ASA 5512-X through ASA http://www.cisco.com/go/asa-firepower-sw • Preinstallation Software—Preinstallation

5555-X files (for some upgrades) have a name like
Choose your model > FirePOWER Services
Cisco_Network_Sensor_6.1.0_Pre-install-6.0.1.999-32.sh.
Software for ASA > version.
• Upgrade Software—Upgrade files have a
name like
Cisco_Network_Sensor_Upgrade-6.2.0-362.sh.
• Hotfix Software—Hotfix files have a name
like
Cisco_Network_Sensor_Hotfix_AF-6.1.0.2-1.sh.
• Boot image—The boot image is only used
for reimaging, and has a filename like
asasfr-5500x-boot-6.1.0-330.img.
• System software install package—The
system software install package is only used
for reimaging, and has a filename like
asasfr-sys-6.1.0-330.pkg.
• Patch files—Patch files have a name like
Cisco_Network_Sensor_Patch-6.1.0.1-53.sh.

Cisco ASA Upgrade Guide

36
 Planning Your Upgrade
Download Firepower Management Center Software

ASA Model Download Location Packages

ASA 5585-X http://www.cisco.com/go/asa-firepower-sw • Preinstallation Software—Preinstallation

files (for some upgrades) have a name like
Choose your model > version.
Cisco_Network_Sensor_6.1.0_Pre-install-6.0.1.999-32.sh.
• Upgrade Software—Upgrade files have a
name like
Cisco_Network_Sensor_Upgrade-6.2.0-362.sh.
• Hotfix Software—Hotfix files have a name
like
Cisco_Network_Sensor_Hotfix_AF-6.1.0.2-1.sh.
• Boot image—The boot image is only used
for reimaging, and has a filename like
asasfr-5500x-boot-6.1.0-330.img.
• System software install package—The
system software install package is only used
for reimaging, and has a filename like
asasfr-sys-6.1.0-330.pkg.
• Patch files—Patch files have a name like
Cisco_Network_Sensor_Patch-6.1.0.1-53.sh.

ISA 3000 http://www.cisco.com/go/isa3000-software • Hotfix Software—Hotfix files have a name

like
Choose your model > FirePOWER Services
Cisco_Network_Sensor_Hotfix_CX-5.4.1.9-1.tar.
Software for ASA > version.
• Boot image—The boot image has a filename
like asasfr-ISA-3000-boot-5.4.1-213.img.
• System software install package—The
system software install package has a filename
like asasfr-sys-5.4.1-213.pkg.
• Patch files—Patch files have a name like
Cisco_Network_Sensor_Patch-5.4.1.10-33.sh.

Download Firepower Management Center Software

You can download Firepower Management Center software from Cisco.com, or in the case of patches and
hotfixes, you can download from within the Firepower Management Center.

Download from the FMC Updates Page

You can use the FMC to retrieve patches, hotfixes, and vulnerability database (VDB) upgrades. To obtain
major upgrades, you must use the Cisco Support & Download site.

Cisco ASA Upgrade Guide

37
 Planning Your Upgrade
Firepower Management Center Upgrade Packages

Before you begin

• Make sure the FMC has internet access.
• If you are using the standby FMC in a high availability pair, pause synchronization. See Download
Guidelines for High Availability FMCs, on page 39.

Procedure

Step 1 On the FMC web interface, choose System > Updates.

Step 2 Click Download Updates.
The number of upgrade packages retrieved, and therefore the time to retrieve them, depends on:
• How up-to-date your current deployment is—The FMC downloads a package for each patch and hotfix
associated with the version your appliances are currently running, as well as the latest VDB if needed.
• How many different device types you have—The FMC downloads a different package for each device
type. If your deployment includes multiple devices of the same type (for example, ten Firepower Threat
Defense devices), the FMC downloads a single package to upgrade them all.

Firepower Management Center Upgrade Packages

For upgrade packages for Firepower Management Centers, browse to:
• https://www.cisco.com/go/firepower-software

Choose your model > Firepower Management Center Software > version.

Table 11: FMC Upgrade Packages: Upgrading to Version 6.3+

Package Type Package Name

Upgrade Cisco_Firepower_Mgmt_Center_Upgrade-version.sh
Cisco_Firepower_Mgmt_Center_Upgrade-version.sh.REL.tar

Patch Cisco_Firepower_Mgmt_Center_Patch-version.sh
Cisco_Firepower_Mgmt_Center_Patch-version.sh.REL.tar

Hotfix Cisco_Firepower_Mgmt_Center_Hotfix_letter-version.sh
Cisco_Firepower_Mgmt_Center_Hotfix_letter-version.sh.REL.tar

Table 12: FMC Upgrade Packages: Upgrading to Version 5.4.x - Version 6.2.3.x

Package Type Package Name

Upgrade Sourcefire_3D_Defense_Center_S3_Upgrade-version.sh
Sourcefire_3D_Defense_Center_S3_Upgrade-version.sh.REL.tar

Cisco ASA Upgrade Guide

38
 Planning Your Upgrade
Download Guidelines for High Availability FMCs

Package Type Package Name

Patch Sourcefire_3D_Defense_Center_S3_Patch-version.sh
Sourcefire_3D_Defense_Center_S3_Patch-version.sh.REL.tar

Hotfix Sourcefire_3D_Defense_Center_S3_Hotfix_letter-version.sh
Sourcefire_3D_Defense_Center_S3_Hotfix_letter-version.sh.REL.tar

Pre-install package for Sourcefire_3D_Defense_Center_S3_targetversion_Pre-install-currentversion.sh

Versions 6.0, 6.0.1, and
6.1

Download Guidelines for High Availability FMCs

When upgrading Firepower Management Centers in a high availability configuration, you must transfer
packages to both the active/primary FMC and the standby/secondary FMC. Additionally, you must pause
synchronization before you transfer the package to the standby FMC.
To limit interruptions to high availability synchronization during the upgrade process, we recommend that
you:
• Active FMC—Transfer the package during the preparation stage of the upgrade.
• Standby FMC—Transfer the package as part of the actual upgrade process, after you pause
synchronization.

For more information, see Upgrade High Availability FMCs, on page 93.

FXOS for Firepower 4100/9300 Chassis Upgrade Packages

For FXOS upgrade packages for the Firepower 4100/9300 chassis, browse to:
• Firepower 4100 series: http://www.cisco.com/go/firepower4100-software
• Firepower 9300: http://www.cisco.com/go/firepower9300-software

Choose your model > Firepower Extensible Operating System > version.

Table 13: FXOS Upgrade Packages

Package Type Package Name

FXOS image fxos-k9.version.SPA

Recovery (kickstart) fxos-k9-kickstart.version.SPA

Recovery (manager) fxos-k9-manager.version.SPA

Recovery (system) fxos-k9-system.version.SPA

MIBs fxos-mibs-fp9k-fp4k.version.zip

Firmware: Firepower 4100 series fxos-k9-fpr4k-firmware.version.SPA

Cisco ASA Upgrade Guide

39
 Planning Your Upgrade
Important Guidelines Before You Upgrade

Package Type Package Name

Firmware: Firepower 9300 fxos-k9-fpr9k-firmware.version.SPA

Important Guidelines Before You Upgrade

Check for upgrade guidelines and limitations, and configuration migrations for each operating system.

ASA Upgrade Guidelines

Before you upgrade, check for migrations and any other guidelines.

Version-Specific Guidelines and Migrations

Depending on your current version, you might experience one or more configuration migrations, and have to
consider configuration guidelines for all versions between the starting version and the ending version when
you upgrade.

9.9 Guidelines
• ASA 5506-X memory issues with large configurations on 9.9(2) and later—If you upgrade to 9.9(2) or
later, parts of a very large configuration might be rejected due to insufficient memory with the following
message: "ERROR: Insufficient memory to install the rules". One option is to enter the
object-group-search access-control command to improve memory usage for ACLs; your performance
might be impacted, however. Alternatively, you can downgrade to 9.9(1).

9.8 Guidelines
• Do not upgrade to 9.8(1) for ASAv on Amazon Web Services--Due to CSCve56153, you should not
upgrade to 9.8(1). After upgrading, the ASAv becomes unreachable. Upgrade to 9.8(1.5) or later instead.

9.7 Guidelines
• Upgrade issue with 9.7(1) to 9.7(1.x) and later for VTI and VXLAN VNI—If you configure both Virtual
Tunnel Interfaces (VTIs) and VXLAN Virtual Network Identifier (VNI) interfaces, then you cannot
perform a zero downtime upgrade for failover; connections on these interface types will not replicate to
the standby unit until both units are on the same version. (CSCvc83062)

9.6 Guidelines
• (ASA 9.6(2) through 9.7(x)) Upgrade impact when using SSH public key authentication—Due to updates
to SSH authentication, additional configuration is required to enable SSH public key authentication; as
a result, existing SSH configurations using public key authentication no longer work after upgrading.
Public key authentication is the default for the ASAv on Amazon Web Services (AWS), so AWS users
will see this issue. To avoid loss of SSH connectivity, you can update your configuration before you
upgrade. Or you can use ASDM after you upgrade (if you enabled ASDM access) to fix the configuration.

Cisco ASA Upgrade Guide

40
Planning Your Upgrade
9.6 Guidelines

Note The original behavior was restored in 9.8(1).

Sample original configuration for a username "admin":

username admin nopassword privilege 15

username admin attributes
ssh authentication publickey 55:06:47:eb:13:75:fc:5c:a8:c1:2c:bb:
07:80:3a:fc:d9:08:a9:1f:34:76:31:ed:ab:bd:3a:9e:03:14:1e:1b hashed

To use the ssh authentication command, before you upgrade, enter the following commands:

aaa authentication ssh console LOCAL

username admin password <password> privilege 15

We recommend setting a password for the username as opposed to keeping the nopassword keyword,
if present. The nopassword keyword means that any password can be entered, not that no password can
be entered. Prior to 9.6(2), the aaa command was not required for SSH public key authentication, so the
nopassword keyword was not triggered. Now that the aaa command is required, it automatically also
allows regular password authentication for a username if the password (or nopassword) keyword is
present.
After you upgrade, the username command no longer requires the password or nopassword keyword;
you can require that a user cannot enter a password. Therefore, to force public key authentication only,
re-enter the username command:

username admin privilege 15

• Upgrade impact when upgrading the ASA on the Firepower 9300— Due to license entitlement naming
changes on the back-end, when you upgrade to ASA 9.6(1)/FXOS 1.1(4), the startup configuration may
not parse correctly upon the initial reload; configuration that corresponds to add-on entitlements is
rejected.
For a standalone ASA, after the unit reloads with the new version, wait until all the entitlements are
processed and are in an "Authorized" state (show license all or Monitoring > Properties > Smart
License), and simply reload again (reload or Tools > System Reload) without saving the configuration.
After the reload, the startup configuration will be parsed correctly.
For a failover pair if you have any add-on entitlements, follow the upgrade procedure in the FXOS release
notes, but reset failover after you reload each unit (failover reset or Monitoring > Properties > Failover
> Status, Monitoring > Failover > System, or Monitoring > Failover > Failover Group, and then
click Reset Failover).
For a cluster, follow the upgrade procedure in the FXOS release notes; no additional action is required.

Cisco ASA Upgrade Guide

41
 Planning Your Upgrade
9.5 Guidelines and Migration

9.5 Guidelines and Migration

• 9.5(2) New Carrier License—The new Carrier license replaces the existing GTP/GPRS license, and also
includes support for SCTP and Diameter inspection. For the Firepower 9300 ASA security module, the
feature mobile-sp command will automatically migrate to the feature carrier command.
• 9.5(2) E-mail proxy commands deprecated—In ASA Version 9.5(2), the e-mail proxy commands (imap4s,
pop3s, smtps) and subcommands are no longer supported.
• 9.5(2) CSD commands deprecated or migrated—In ASA Version 9.5(2), the CSD commands (csd image,
show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan
image) are no longer supported.
The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan
image migrates to hostscan image.
• 9.5(2) Select AAA commands deprecated—In ASA Version 9.5(2), these AAA commands and
subcommands (override-account-disable, authentication crack) are no longer supported.
• 9.5(1) We deprecated the following command: timeout gsn
• ASA 5508-X and 5516-X upgrade issue when upgrading to 9.5(x) or later—Before you upgrade to ASA
Version 9.5(x) or later, if you never enabled jumbo frame reservation then you must check the maximum
memory footprint. Due to a manufacturing defect, an incorrect software memory limit might have been
applied. If you upgrade to 9.5(x) or later before performing the below fix, then your device will crash
on bootup; in this case, you must downgrade to 9.4 using ROMMON (Load an Image for the ASA 5500-X
Series Using ROMMON), perform the below procedure, and then upgrade again.
1. Enter the following command to check for the failure condition:

ciscoasa# show memory detail | include Max memory footprint

Max memory footprint = 456384512
Max memory footprint = 0
Max memory footprint = 456384512

If a value less than 456,384,512 is returned for “Max memory footprint,” then the failure condition
is present, and you must complete the remaining steps before you upgrade. If the memory shown is
456,384,512 or greater, then you can skip the rest of this procedure and upgrade as normal.
2. Enter global configuration mode:

ciscoasa# configure terminal

ciscoasa(config)#

3. Temporarily enable jumbo frame reservation:

ciscoasa(config)# jumbo-frame reservation

WARNING: This command will take effect after the running-config
is saved and the system has been rebooted. Command accepted.
INFO: Interface MTU should be increased to avoid fragmenting
jumbo frames during transmit

Note Do not reload the ASA.

Cisco ASA Upgrade Guide

42
 Planning Your Upgrade
9.4 Guidelines and Migration

4. Save the configuration:

ciscoasa(config)# write memory

Building configuration...
Cryptochecksum: b511ec95 6c90cadb aaf6b306 41579572
14437 bytes copied in 1.320 secs (14437 bytes/sec)
[OK]

5. Disable jumbo frame reservation:

ciscoasa(config)# no jumbo-frame reservation

WARNING: This command will take effect after the running-config is saved and
the system has been rebooted. Command accepted.

Note Do not reload the ASA.

6. Save the configuration again:

ciscoasa(config)# write memory

Building configuration...
Cryptochecksum: b511ec95 6c90cadb aaf6b306 41579572
14437 bytes copied in 1.320 secs (14437 bytes/sec)
[OK]

7. You can now upgrade to Version 9.5(x) or later.

9.4 Guidelines and Migration

• 9.4(1) Unified Communications Phone Proxy and Intercompany Media Engine Proxy are deprecated—In
ASA Version 9.4, the Phone Proxy and IME Proxy are no longer supported.

9.3 Guidelines and Migration

• 9.3(2) Transport Layer Security (TLS) version 1.2 support—We now support TLS version 1.2 for secure
message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN. We introduced or modified
the following commands: ssl client-version, ssl server-version, ssl cipher, ssl trust-point, ssl dh-group.
We deprecated the following command: ssl encryption
• 9.3(1) Removal of AAA Windows NT domain authentication—We removed NTLM support for remote
access VPN users. We deprecated the following command: aaa-server protocol nt

9.2 Guidelines and Migration

Auto Update Server certificate verification

9.2(1) Auto Update Server certificate verification enabled by default. The Auto Update Server certificate
verification is now enabled by default; for new configurations, you must explicitly disable certificate
verification. If you are upgrading from an earlier release, and you did not enable certificate verification, then
certificate verification is not enabled, and you see the following warning:

Cisco ASA Upgrade Guide

43
 Planning Your Upgrade
9.1 Guidelines and Migration

WARNING: The certificate provided by the auto-update servers will not be verified. In order
to verify this certificate please use the verify-certificate option.

The configuration will be migrated to explicitly configure no verification:

auto-update server no-verification

Upgrade impact for ASDM login

Upgrade impact for ASDM login when upgrading from a pre-9.2(2.4) release to 9.2(2.4) or later. If you
upgrade from a pre-9.2(2.4) release to ASA Version 9.2(2.4) or later and you use command authorization and
ASDM-defined user roles, users with Read Only access will not be able to log in to ASDM. You must change
the more command either before or after you upgrade to be at privilege level 5; only Admin level users can
make this change. Note that ASDM version 7.3(2) and later includes the more command at level 5 for defined
user roles, but preexisting configurations need to be fixed manually.
ASDM:
1. Choose Configuration > Device Management > Users/AAA > AAA Access > Authorization, and click
Configure Command Privileges.
2. Select more, and click Edit.

3. Change the Privilege Level to 5, and click OK.

4. Click OK, and then Apply.

CLI:
ciscoasa(config)# privilege cmd level 5 mode exec command more

9.1 Guidelines and Migration

• Maximum MTU Is Now 9198 Bytes—If your MTU was set to a value higher than 9198, then the MTU
is automatically lowered when you upgrade. In some cases, this MTU change can cause an MTU mismatch;
be sure to set any connecting equipment to use the new MTU value. The maximum MTU that the ASA
can use is 9198 bytes (check for your model’s exact limit at the CLI help). This value does not include
the Layer 2 header. Formerly, the ASA let you specify the maximum MTU as 65535 bytes, which was
inaccurate and could cause problems.

9.0 Guidelines and Migration

• IPv6 ACL Migration—IPv6 ACLs (ipv6 access-list) will be migrated to extended ACLs (access-list
extended); IPv6 ACLs are no longer supported.
If IPv4 and IPv6 ACLs are applied on the same direction of an interface (access-group command), then
the ACLs are merged:
• If both IPv4 and IPv6 ACLs are not used anywhere other than the access-group, then the name of
the IPv4 ACL is used for the merged ACL; the IPv6 access-list is removed.
• If at least one of the ACLs is used in another feature, then a new ACL is created with the name
IPv4-ACL-name_IPv6-ACL-name; the in-use ACL(s) continue to be used for other features. ACLs

Cisco ASA Upgrade Guide

44
Planning Your Upgrade
9.0 Guidelines and Migration

not in use are removed. If the IPv6 ACL is in use for another feature, it is migrated to an extended
ACL of the same name.

• ACL Any Keyword Migration—Now that ACLs support both IPv4 and IPv6, the any keyword now
represents “all IPv4 and IPv6 traffic.” Any existing ACLs that use the any keyword will be changed to
use the any4 keyword, which denotes “all IPv4 traffic.”
In addition, a separate keyword was introduced to designate “all IPv6 traffic”: any6.
The any4 and any6 keywords are not available for all commands that use the any keyword. For example,
the NAT feature uses only the any keyword; any represents IPv4 traffic or IPv6 traffic depending on the
context within the specific NAT command.
• Static NAT-with-port-translation Requirement Before Upgrading—In Version 9.0 and later, static
NAT-with-port-translation rules limit access to the destination IP address for the specified port only. If
you try to access the destination IP address on a different port not covered by a NAT rule, then the
connection is blocked. This behavior is also true for Twice NAT. Moreover, traffic that does not match
the source IP address of the Twice NAT rule will be dropped if it matches the destination IP address,
regardless of the destination port. Therefore, before you upgrade, you must add additional rules for all
other traffic allowed to the destination IP address.
For example, you have the following Object NAT rule to translate HTTP traffic to the inside server
between port 80 and port 8080:

object network my-http-server

host 10.10.10.1
nat (inside,outside) static 192.168.1.1 80 8080

If you want any other services to reach the server, such as FTP, then you must explicitly allow them:

object network my-ftp-server

host 10.10.10.1
nat (inside,outside) static 192.168.1.1 ftp ftp

Or, to allow traffic to other ports of the server, you can add a general static NAT rule that will match all
other ports:

object network my-server-1

host 10.10.10.1
nat (inside,outside) static 192.168.1.1

For Twice NAT, you have the following rule to allow HTTP traffic from 192.168.1.0/24 to the inside
server and translate between port 80 and port 8080:

object network my-real-server

host 10.10.10.1
object network my-mapped-server
host 192.168.1.1
object network outside-real-hosts
subnet 192.168.1.0 255.255.255.0
object network outside-mapped-hosts
subnet 10.10.11.0 255.255.255.0
object service http-real
service tcp destination eq 80
object service http-mapped

Cisco ASA Upgrade Guide

45
 Planning Your Upgrade
8.4 Guidelines and Migration

service tcp destination eq 8080

object service ftp-real
service tcp destination eq 21
nat (outside,inside) source static outside-real-hosts outside-mapped-hosts destination
static my-mapped-server my-real-server service http-mapped http-real

If you want the outside hosts to reach another service on the inside server, add another NAT rule for the
service, for example FTP:

nat (outside,inside) source static outside-real-hosts outside-mapped-hosts destination

static my-mapped-server my-real-server ftp-real ftp-real

If you want other source addresses to reach the inside server on any other ports, you can add another
NAT rule for that specific IP address or for any source IP address. Make sure the general rule is ordered
after the specific rule.

nat (outside,inside) source static any any destination static my-mapped-server

my-real-server

8.4 Guidelines and Migration

• Configuration Migration for Transparent Mode—In 8.4, all transparent mode interfaces now belong to
a bridge group. When you upgrade to 8.4, the existing two interfaces are placed in bridge group 1, and
the management IP address is assigned to the Bridge Group Virtual Interface (BVI). The functionality
remains the same when using one bridge group. You can now take advantage of the bridge group feature
to configure up to four interfaces per bridge group and to create up to eight bridge groups in single mode
or per context.

Note Note In 8.3 and earlier, as an unsupported configuration, you could configure a
management interface without an IP address, and you could access the interface
using the device management address. In 8.4, the device management address is
assigned to the BVI, and the management interface is no longer accessible using
that IP address; the management interface requires its own IP address.

• When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now
include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The
unidirectional keyword is removed.

8.3 Guidelines and Migration

See the following guide that describes the configuration migration process when you upgrade from a pre-8.3
version of the Cisco ASA 5500 operating system (OS) to Version 8.3:
Cisco ASA 5500 Migration to Version 8.3

Clustering Guidelines
There are no special requirements for Zero Downtime Upgrades for ASA clustering with the following
exceptions.

Cisco ASA Upgrade Guide

46
Planning Your Upgrade
Clustering Guidelines

Note Zero Downtime Downgrades are not officially supported with clustering.

• Firepower 4100/9300 Cluster Upgrade to FXOS 2.3/ASA 9.9(2)—Slaves on ASA 9.8 and earlier cannot
rejoin a cluster where the master unit is on FXOS 2.3/9.9(2) or later; they will join after you upgrade the
ASA version to 9.9(2)+ [CSCvi54844].
• Distributed Site-to-Site VPN—Distributed Site-to-Site VPN sessions on a failed unit require up to 30
minutes to stabilize on other units. During this time, additional unit failures might result in lost sessions.
Therefore, during a cluster upgrade, to avoid traffic loss, follow these steps. Refer to the FXOS/ASA
cluster upgrade procedure so you can integrate these steps into your upgrade task.

Note Zero Downtime Upgrade is not supported with Distributed Site-to-Site VPN when
upgrading from 9.9(1) to 9.9(2) or later. In 9.9(2), due to Active Session
Redistribution enhancements, you cannot run some units on 9.9(2) and other units
on 9.9(1).

1. On the chassis without the master unit, disable clustering on one module using the ASA console.
cluster group name
no enable
If you are upgrading FXOS on the chassis as well as ASA, save the configuration so clustering will
be disabled after the chassis reboots:
write memory
2. Wait for the cluster to stabilize; verify all backup sessions have been created.
show cluster vpn-sessiondb summary
3. Repeat steps 1 and 2 for each module on this chassis.
4. Upgrade FXOS on the chassis using the FXOS CLI or Firepower Chassis Manager.
5. After the chassis comes online, update the ASA image on each module using the FXOS CLI or
Firepower Chassis Manager.
6. After the modules come online, re-enable clustering on each module at the ASA console.
cluster group name
enable
write memory
7. Repeat steps 1 through 6 on the second chassis, being sure to disable clustering on the slave units
first, and then finally the master unit.
A new master unit will be chosen from the upgraded chassis.
8. After the cluster has stabilized, redistribute active sessions among all modules in the cluster using
the ASA console on the master unit.
cluster redistribute vpn-sessiondb

Cisco ASA Upgrade Guide

47
 Planning Your Upgrade
Clustering Guidelines

• Upgrade issue for 9.9(1) and later with clustering—9.9(1) and later includes an improvement in the
backup distribution. You should perform your upgrade to 9.9(1) or later as follows to take advantage of
the new backup distribution method; otherwise upgraded units will continue to use the old method.
1. Remove all secondary units from the cluster (so the cluster consists only of the primary unit).
2. Upgrade 1 secondary unit, and rejoin the cluster.
3. Disable clustering on the primary unit; upgrade it, and rejoin the cluster.
4. Upgrade the remaining secondary units, and join them back to the cluster, one at a time.

• Firepower 4100/9300 Cluster Upgrade to ASA 9.8(1) and earlier—When you disable clustering on a
slave unit (no enable), which is part of the upgrade process, traffic directed to that unit can drop for up
to three seconds before traffic is redirected to a new owner [CSCvc85008].
• Zero Downtime Upgrade may not be supported when upgrading to the following releases with the fix
for CSCvb24585. This fix moved 3DES from the default (medium) SSL ciphers to the low cipher set. If
you set a custom cipher that only includes 3DES, then you may have a mismatch if the other side of the
connection uses the default (medium) ciphers that no longer include 3DES.
• 9.1(7.12)
• 9.2(4.18)
• 9.4(3.12)
• 9.4(4)
• 9.5(3.2)
• 9.6(2.4)
• 9.6(3)
• 9.7(1)
• 9.8(1)

• Upgrade issues for fully-qualified domain name (FQDN) ACLs—Due to CSCuv92371, ACLs containing
FQDNs might result in incomplete ACL replication to secondary units in a cluster or failover pair. This
bug is present in 9.1(7), 9.5(2), 9.6(1), and some interim releases. We suggest that you upgrade to a
version that includes the fix for CSCuy34265: 9.1(7.6) or later, 9.5(3) or later, 9.6(2) or later. However,
due to the nature of configuration replication, zero downtime upgrade is not available. See CSCuy34265
for more information about different methods of upgrading.
• Firepower Threat Defense Version 6.1.0 clusters do not support inter-site clustering (you can configure
inter-site features using FlexConfig starting in 6.2.0). If you deployed or re-deployed a 6.1.0 cluster in
FXOS 2.1.1, and you entered a value for the (unsupported) site ID, then you must remove the site ID
(set it to 0) on each unit in FXOS before you upgrade to 6.2.3. Otherwise, the units will not be able to
rejoin the cluster after the upgrade. If you already upgraded, change the site ID to 0 on each unit to resolve
the issue. See the FXOS configuration guide to view or change the site ID
• Upgrade to 9.5(2) or later (CSCuv82933)—Before you upgrade the master unit, if you enter show cluster
info, the upgraded slave units show as “DEPUTY_BULK_SYNC”; other mismatched states are also
shown. You can ignore this display; the status will show correctly when you upgrade all units.
• Upgrade from 9.0(1) or 9.1(1) (CSCue72961)—Zero Downtime Upgrade is not supported.

Cisco ASA Upgrade Guide

48
 Planning Your Upgrade
Failover Guidelines

Failover Guidelines
There are no special requirements for Zero Downtime Upgrades for failover with the following exceptions:
• Upgrade issues with 8.4(6), 9.0(2) , and 9.1(2)—Due to CSCug88962, you cannot perform a Zero
Downtime Upgrade to 8.4(6), 9.0(2), or 9.1(3). You should instead upgrade to 8.4(5) or 9.0(3). To upgrade
9.1(1), you cannot upgrade directly to the 9.1(3) release due to CSCuh25271, so there is no workaround
for a Zero Downtime Upgrade; you must upgrade to 9.1(2) before you upgrade to 9.1(3) or later.
• Upgrade issues for fully-qualified domain name (FQDN) ACLs—Due to CSCuv92371, ACLs containing
FQDNs might result in incomplete ACL replication to secondary units in a cluster or failover pair. This
bug is present in 9.1(7), 9.5(2), 9.6(1), and some interim releases. We suggest that you upgrade to a
version that includes the fix for CSCuy34265: 9.1(7.6) or later, 9.5(3) or later, 9.6(2) or later. However,
due to the nature of configuration replication, zero downtime upgrade is not available. See CSCuy34265
for more information about different methods of upgrading.
• Upgrade issue with 9.7(1) to 9.7(1.x) and later for VTI and VXLAN VNI—If you configure both Virtual
Tunnel Interfaces (VTIs) and VXLAN Virtual Network Identifier (VNI) interfaces, then you cannot
perform a zero downtime upgrade for failover; connections on these interface types will not replicate to
the standby unit until both units are on the same version. (CSCvc83062)

Additional Guidelines
• Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability—Multiple vulnerabilities
have been fixed for clientless SSL VPN in ASA software, so you should upgrade your software to a fixed
version. See http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
for details about the vulnerability and a list of fixed ASA versions. Also, if you ever ran an earlier ASA
version that had a vulnerable configuration, then regardless of the version you are currently running, you
should verify that the portal customization was not compromised. If an attacker compromised a
customization object in the past, then the compromised object stays persistent after you upgrade the ASA
to a fixed version. Upgrading the ASA prevents this vulnerability from being exploited further, but it
will not modify any customization objects that were already compromised and are still present on the
system.

Firepower Management Center Upgrade Guidelines

Before you upgrade, check for Firepower Management Center guidelines in the FMC Upgrade Guide.

FXOS Upgrade Guidelines

Before you upgrade, read the release notes for each FXOS version in your chosen upgrade path. Release notes
contain important information about each FXOS release, including new features and changed functionality.
Upgrading may require configuration changes that you must address. For example, new hardware supported
in an FXOS release might also require that you update the FXOS firmware.
FXOS release notes are available here: https://www.cisco.com/c/en/us/support/security/firepower-9000-series/
products-release-notes-list.html.

Cisco ASA Upgrade Guide

49
 Planning Your Upgrade
Back Up Your Configurations

Back Up Your Configurations

We recommend that you back up your configurations and other critical files before you upgrade, especially
if there is a configuration migration. Each operating system has a different method to perform backups. Check
the ASA, ASDM, ASA FirePOWER local management, Firepower Management Center, and FXOS
configuration guides for more information.

Cisco ASA Upgrade Guide

50
 CHAPTER 2
Upgrade the ASA Appliance or ASAv
Upgrade the ASA 5500-X, ASA on Firepower 2100, ASAv, ASASM, and ISA 3000 according to the procedures
in this document.
• Upgrade the ASA 5500-X, ASAv, ASASM, or ISA 3000, on page 51
• Upgrade the ASA on the Firepower 2100, on page 72

Upgrade the ASA 5500-X, ASAv, ASASM, or ISA 3000

This document describes how to plan and implement an ASA and ASDM upgrade for the ASA 5500-X, ASAv,
ASASM, or ISA 3000 for standalone, failover, or clustering deployments.

Upgrade a Standalone Unit

Use the CLI or ASDM to upgrade the standalone unit.

Upgrade a Standalone Unit Using the CLI

This section describes how to install the ASDM and ASA images, and also when to upgrade the ASA
FirePOWER module.

Before you begin

This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command
reference.

Procedure

Step 1 In privileged EXEC mode, copy the ASA software to flash memory.
copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name
Example:

ciscoasa# copy ftp://jcrichton:[email protected]/asa991-smp-k8.bin disk0:/asa991-smp-k8.bin

Step 2 Copy the ASDM image to flash memory.

Cisco ASA Upgrade Guide

51
 Upgrade the ASA Appliance or ASAv
Upgrade a Standalone Unit Using the CLI

copy ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name

Example:

ciscoasa# copy ftp://jcrichton:[email protected]/asdm-771791.bin disk0:/asdm-771791.bin

Step 3 Access global configuration mode.

configure terminal
Example:

ciscoasa# configure terminal

ciscoasa(config)#

Step 4 Show the current boot images configured (up to 4):

show running-config boot system
The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so
on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must
remove any existing entries, and enter the image URLs in the order desired, according to the next steps.
Example:

ciscoasa(config)# show running-config boot system

boot system disk0:/cdisk.bin
boot system disk0:/asa931-smp-k8.bin

Step 5 Remove any existing boot image configurations so that you can enter the new boot image as your first choice:
no boot system diskn:/[path/]asa_image_name
Example:

ciscoasa(config)# no boot system disk0:/cdisk.bin

ciscoasa(config)# no boot system disk0:/asa931-smp-k8.bin

Step 6 Set the ASA image to boot (the one you just uploaded):
boot system diskn:/[path/]asa_image_name
Repeat this command for any backup images that you want to use in case this image is unavailable. For
example, you can re-enter the images that you previously removed.
Example:

ciscoasa(config)# boot system disk0:/asa991-smp-k8.bin

Step 7 Set the ASDM image to use (the one you just uploaded):
asdm image diskn:/[path/]asdm_image_name
You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.
Example:

Cisco ASA Upgrade Guide

52
 Upgrade the ASA Appliance or ASAv
Upgrade a Standalone Unit from Your Local Computer Using ASDM

ciscoasa(config)# asdm image disk0:/asdm-771791.bin

Step 8 Save the new settings to the startup configuration:

write memory

Step 9 Reload the ASA:

reload

Step 10 If you are upgrading the ASA FirePOWER module, disable the ASA REST API or else the upgrade will fail.
no rest-api agent
You can reenable it after the upgrade:
rest-api agent
Note The ASA 5506-X series does not support the ASA REST API if you are running the FirePOWER
module Version 6.0 or later.

Step 11 Upgrade the ASA FirePOWER module.

Upgrade a Standalone Unit from Your Local Computer Using ASDM

The Upgrade Software from Local Computer tool lets you upload an image file from your computer to the
flash file system to upgrade the ASA.

Procedure

Step 1 In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
The Upgrade Software dialog box appears.

Step 2 From the Image to Upload drop-down list, choose ASDM.

Step 3 In the Local File Path field, click Browse Local Files to find the file on your PC.
Step 4 In the Flash File System Path field, click Browse Flash to find the directory or file in the flash file system.
Step 5 Click Upload Image.
The uploading process might take a few minutes.

Step 6 You are prompted to set this image as the ASDM image. Click Yes.
Step 7 You are reminded to exit ASDM and save the configuration. Click OK.
You exit the Upgrade tool. Note: You will save the configuration and exit and reconnect to ASDM after you
upgrade the ASA software.

Step 8 Repeat these steps, choosing ASA from the Image to Upload drop-down list. You can also use this procedure
to upload other file types.
Step 9 Choose Tools > System Reload to reload the ASA.
A new window appears that asks you to verify the details of the reload.

Cisco ASA Upgrade Guide

53
 Upgrade the ASA Appliance or ASAv
Upgrade a Standalone Unit Using the ASDM Cisco.com Wizard

a) Click the Save the running configuration at the time of reload radio button (the default).
b) Choose a time to reload (for example, Now, the default).
c) Click Schedule Reload.
Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed.
An option to exit ASDM is also provided.

Step 10 After the ASA reloads, restart ASDM.

You can check the reload status from a console port, or you can wait a few minutes and try to connect using
ASDM until you are successful.

Step 11 If you are upgrading an ASA FirePOWER module, disable the ASA REST API by choosing Tools > Command
Line Interface, and entering no rest-api agent.
If you do not disable the REST API, the ASA FirePOWER module upgrade will fail. You can reenable it after
the upgrade:
rest-api agent
Note The ASA 5506-X series does not support the ASA REST API if you are running the FirePOWER
module Version 6.0 or later.

Step 12 Upgrade the ASA FirePOWER module.

Upgrade a Standalone Unit Using the ASDM Cisco.com Wizard

The Upgrade Software from Cisco.com Wizard lets you automatically upgrade the ASDM and ASA to
more current versions.
In this wizard, you can do the following:
• Choose an ASA image file and/or ASDM image file to upgrade.

Note ASDM downloads the latest image version, which includes the build number.
For example, if you are downloading 9.9(1), the download might be 9.9(1.2).
This behavior is expected, so you can proceed with the planned upgrade.

• Review the upgrade changes that you have made.

• Download the image or images and install them.
• Review the status of the installation.
• If the installation completed successfully, reload the ASA to save the configuration and complete the
upgrade.

Before you begin

The wizard is only supported using ASDM 7.10(1) and later. Because ASDM is backwards compatible with
earlier ASA releases, you can upgrade ASDM no matter which ASA version you are running.

Cisco ASA Upgrade Guide

54
Upgrade the ASA Appliance or ASAv
Upgrade a Standalone Unit Using the ASDM Cisco.com Wizard

Procedure

Step 1 Choose Tools > Check for ASA/ASDM Updates.

In multiple context mode, access this menu from the System.
The Cisco.com Authentication dialog box appears.

Step 2 Enter your Cisco.com username and password, and then click Login.
The Cisco.com Upgrade Wizard appears.
Note If there is no upgrade available, a dialog box appears. Click OK to exit the wizard.

Step 3 Click Next to display the Select Software screen.

The current ASA version and ASDM version appear.

Step 4 To upgrade the ASA version and ASDM version, perform the following steps:
a) In the ASA area, check the Upgrade to check box, and then choose an ASA version to which you want
to upgrade from the drop-down list.
b) In the ASDM area, check the Upgrade to check box, and then choose an ASDM version to which you
want to upgrade from the drop-down list.
Step 5 Click Next to display the Review Changes screen.
Step 6 Verify the following items:
• The ASA image file and/or ASDM image file that you have downloaded are the correct ones.
• The ASA image file and/or ASDM image file that you want to upload are the correct ones.
• The correct ASA boot image has been selected.

Step 7 Click Next to start the upgrade installation.

You can then view the status of the upgrade installation as it progresses.
The Results screen appears, which provides additional details, such as the upgrade installation status (success
or failure).

Step 8 If the upgrade installation succeeded, for the upgrade versions to take effect, check the Save configuration
and reload device now check box to restart the ASA, and restart ASDM.
Step 9 Click Finish to exit the wizard and save the configuration changes that you have made.
Note To upgrade to the next higher version, if any, you must restart the wizard.

Step 10 After the ASA reloads, restart ASDM.

You can check the reload status from a console port, or you can wait a few minutes and try to connect using
ASDM until you are successful.

Step 11 If you are upgrading an ASA FirePOWER module, disable the ASA REST API by choosing Tools > Command
Line Interface, and entering no rest-api agent.
If you do not disable the REST API, the ASA FirePOWER module upgrade will fail. You can reenable it after
the upgrade:

Cisco ASA Upgrade Guide

55
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair

rest-api agent
Note The ASA 5506-X series does not support the ASA REST API if you are running the FirePOWER
module Version 6.0 or later.

Step 12 Upgrade the ASA FirePOWER module.

Upgrade an Active/Standby Failover Pair

Use the CLI or ASDM to upgrade the Active/Standby failover pair for a zero downtime upgrade.

Upgrade an Active/Standby Failover Pair Using the CLI

To upgrade the Active/Standby failover pair, perform the following steps.

Before you begin

• Perform these steps on the active unit. For SSH access, connect to the active IP address; the active unit
always owns this IP address. When you connect to the CLI, determine the failover status by looking at
the ASA prompt; you can configure the ASA prompt to show the failover status and priority (primary
or secondary), which is useful to determine which unit you are connected to. See the prompt command.
Alternatively, enter the show failover command to view this unit's status and priority (primary or
secondary).
• This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA
command reference.

Procedure

Step 1 On the active unit in privileged EXEC mode, copy the ASA software to the active unit flash memory:
copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name
Example:

asa/act# copy ftp://jcrichton:[email protected]/asa991-smp-k8.bin disk0:/asa991-smp-k8.bin

Step 2 Copy the software to the standby unit; be sure to specify the same path as for the active unit:
failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name
diskn:/[path/]asa_image_name
Example:

asa/act# failover exec mate copy /noconfirm ftp://jcrichton:[email protected]/asa991-smp-k8.bin

disk0:/asa991-smp-k8.bin

Step 3 Copy the ASDM image to the active unit flash memory:
copy ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name

Cisco ASA Upgrade Guide

56
Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using the CLI

Example:

asa/act# copy ftp://jcrichton:[email protected]/asdm-771791.bin disk0:/asdm-771791.bin

Step 4 Copy the ASDM image to the standby unit; be sure to specify the same path as for the active unit:
failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asdm_image_name
diskn:/[path/]asdm_image_name
Example:

asa/act# failover exec mate copy /noconfirm ftp://jcrichton:[email protected]/asdm-771791.bin

disk0:/asdm-771791.bin

Step 5 If you are not already in global configuration mode, access global configuration mode:
configure terminal

Step 6 Show the current boot images configured (up to 4):

show running-config boot system
Example:

asa/act(config)# show running-config boot system

boot system disk0:/cdisk.bin
boot system disk0:/asa931-smp-k8.bin

The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so
on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must
remove any existing entries, and enter the image URLs in the order desired, according to the next steps.

Step 7 Remove any existing boot image configurations so that you can enter the new boot image as your first choice:
no boot system diskn:/[path/]asa_image_name
Example:

asa/act(config)# no boot system disk0:/cdisk.bin

asa/act(config)# no boot system disk0:/asa931-smp-k8.bin

Step 8 Set the ASA image to boot (the one you just uploaded):
boot system diskn:/[path/]asa_image_name
Example:

asa/act(config)# boot system disk0://asa991-smp-k8.bin

Repeat this command for any backup images that you want to use in case this image is unavailable. For
example, you can re-enter the images that you previously removed.

Step 9 Set the ASDM image to use (the one you just uploaded):
asdm image diskn:/[path/]asdm_image_name

Cisco ASA Upgrade Guide

57
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using ASDM

Example:

asa/act(config)# asdm image disk0:/asdm-771791.bin

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 10 Save the new settings to the startup configuration:

write memory
These configuration changes are automatically saved on the standby unit.

Step 11 If you are upgrading ASA FirePOWER modules, disable the ASA REST API or else the upgrade will fail.
no rest-api agent

Step 12 Upgrade the ASA FirePOWER module on the standby unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the standby management IP address.
Wait for the upgrade to complete.

Step 13 Reload the standby unit to boot the new image:

failover reload-standby
Wait for the standby unit to finish loading. Use the show failover command to verify that the standby unit is
in the Standby Ready state.

Step 14 Force the active unit to fail over to the standby unit.
no failover active
If you are disconnected from your SSH session, reconnect to the main IP address, now on the new active/former
standby unit.

Step 15 Upgrade the ASA FirePOWER module on the former active unit.
For an ASA FirePOWER module managed by ASDM, connect ASDM to the standby management IP address.
Wait for the upgrade to complete.

Step 16 From the new active unit, reload the former active unit (now the new standby unit).
failover reload-standby
Example:

asa/act# failover reload-standby

Note If you are connected to the former active unit console port, you should instead enter the reload
command to reload the former active unit.

Upgrade an Active/Standby Failover Pair Using ASDM

To upgrade the Active/Standby failover pair, perform the following steps.

Cisco ASA Upgrade Guide

58
Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using ASDM

Before you begin

Place the ASA and ASDM images on your local management computer.

Procedure

Step 1 Launch ASDM on the standby unit by connecting to the standby IP address.
Step 2 In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
The Upgrade Software dialog box appears.

Step 3 From the Image to Upload drop-down list, choose ASDM.

Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to
find the file on your PC.
Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the
directory or file in the flash file system.
Step 6 Click Upload Image. The uploading process might take a few minutes.
When you are prompted to set this image as the ASDM image, click No. You exit the Upgrade tool.

Step 7 Repeat these steps, choosing ASA from the Image to Upload drop-down list.
When you are prompted to set this image as the ASA image, click No. You exit the Upgrade tool.

Step 8 Connect ASDM to the active unit by connecting to the main IP address, and upload the ASDM software,
using the same file location you used on the standby unit.
Step 9 When you are prompted to set the image as the ASDM image, click Yes.
You are reminded to exit ASDM and save the configuration. Click OK. You exit the Upgrade tool. Note:
You will save the configuration and reload ASDM after you upgrade the ASA software.

Step 10 Upload the ASA software, using the same file location you used for the standby unit.
Step 11 When you are prompted to set the image as the ASA image, click Yes.
You are reminded to reload the ASA to use the new image. Click OK. You exit the Upgrade tool.

Step 12 Click the Save icon on the toolbar to save your configuration changes.
These configuration changes are automatically saved on the standby unit.

Step 13 If you are upgrading ASA FirePOWER modules, disable the ASA REST API by choosing Tools > Command
Line Interface, and entering no rest-api enable.
If you do not disable the REST API, the ASA FirePOWER module upgrade will fail.

Step 14 Upgrade the ASA FirePOWER module on the standby unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the standby management IP address.
Wait for the upgrade to complete, and then connect ASDM back to the active unit.

Step 15 Reload the standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Reload
Standby.
Stay on the System pane to monitor when the standby unit reloads.

Cisco ASA Upgrade Guide

59
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair

Step 16 After the standby unit reloads, force the active unit to fail over to the standby unit by choosing Monitoring
> Properties > Failover > Status, and clicking Make Standby.
ASDM will automatically reconnect to the new active unit.

Step 17 Upgrade the ASA FirePOWER module on the former active unit.
For an ASA FirePOWER module managed by ASDM, connect ASDM to the standby management IP address.
Wait for the upgrade to complete, and then connect ASDM back to the active unit.

Step 18 Reload the (new) standby unit by choosing Monitoring > Properties > Failover > Status, and clicking
Reload Standby.

Upgrade an Active/Active Failover Pair

Use the CLI or ASDM to upgrade the Active/Active failover pair for a zero downtime upgrade.

Upgrade an Active/Active Failover Pair Using the CLI

To upgrade two units in an Active/Active failover configuration, perform the following steps.

Before you begin

• Perform these steps on the primary unit.
• Perform these steps in the system execution space.
• This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA
command reference.

Procedure

Step 1 On the primary unit in privileged EXEC mode, copy the ASA software to flash memory:
copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name
Example:

asa/act/pri# copy ftp://jcrichton:[email protected]/asa991-smp-k8.bin disk0:/asa991-smp-k8.bin

Step 2 Copy the software to the secondary unit; be sure to specify the same path as for the primary unit:
failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name
diskn:/[path/]asa_image_name
Example:

asa/act/pri# failover exec mate copy /noconfirm

ftp://jcrichton:[email protected]/asa991-smp-k8.bin disk0:/asa991-smp-k8.bin

Cisco ASA Upgrade Guide

60
Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using the CLI

Step 3 Copy the ASDM image to the primary unit flash memory:
copy ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name
Example:

asa/act/pri# ciscoasa# copy ftp://jcrichton:[email protected]/asdm-771791.bin

disk0:/asdm-771791.bin

Step 4 Copy the ASDM image to the secondary unit; be sure to specify the same path as for the primary unit:
failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asdm_image_name
diskn:/[path/]asdm_image_name
Example:

asa/act/pri# failover exec mate copy /noconfirm ftp://jcrichton:[email protected]/asdm-771791.bin

disk0:/asdm-771791.bin

Step 5 If you are not already in global configuration mode, access global configuration mode:
configure terminal

Step 6 Show the current boot images configured (up to 4):

show running-config boot system
Example:

asa/act/pri(config)# show running-config boot system

boot system disk0:/cdisk.bin
boot system disk0:/asa931-smp-k8.bin

The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so
on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must
remove any existing entries, and enter the image URLs in the order desired, according to the next steps.

Step 7 Remove any existing boot image configurations so that you can enter the new boot image as your first choice:
no boot system diskn:/[path/]asa_image_name
Example:

asa/act/pri(config)# no boot system disk0:/cdisk.bin

asa/act/pri(config)# no boot system disk0:/asa931-smp-k8.bin

Step 8 Set the ASA image to boot (the one you just uploaded):
boot system diskn:/[path/]asa_image_name
Example:

asa/act/pri(config)# boot system disk0://asa991-smp-k8.bin

Repeat this command for any backup images that you want to use in case this image is unavailable. For
example, you can re-enter the images that you previously removed.

Cisco ASA Upgrade Guide

61
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using the CLI

Step 9 Set the ASDM image to use (the one you just uploaded):
asdm image diskn:/[path/]asdm_image_name
Example:

asa/act/pri(config)# asdm image disk0:/asdm-771791.bin

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 10 Save the new settings to the startup configuration:

write memory
These configuration changes are automatically saved on the secondary unit.

Step 11 If you are upgrading ASA FirePOWER modules, disable the ASA REST API or else the upgrade will fail.
no rest-api agent

Step 12 Make both failover groups active on the primary unit:

failover active group 1
failover active group 2
Example:

asa/act/pri(config)# failover active group 1

asa/act/pri(config)# failover active group 2

Step 13 Upgrade the ASA FirePOWER module on the secondary unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the failover group 1 or 2 standby
management IP address. Wait for the upgrade to complete.

Step 14 Reload the secondary unit to boot the new image:

failover reload-standby
Wait for the secondary unit to finish loading. Use the show failover command to verify that both failover
groups are in the Standby Ready state.

Step 15 Force both failover groups to become active on the secondary unit:
no failover active group 1
no failover active group 2
Example:

asa/act/pri(config)# no failover active group 1

asa/act/pri(config)# no failover active group 2
asa/stby/pri(config)#

If you are disconnected from your SSH session, reconnect to the failover group 1 IP address, now on the
secondary unit.

Step 16 Upgrade the ASA FirePOWER module on the primary unit.

Cisco ASA Upgrade Guide

62
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using ASDM

For an ASA FirePOWER module managed by ASDM, connect ASDM to the failover group 1 or 2 standby
management IP address. Wait for the upgrade to complete.

Step 17 Reload the primary unit:

failover reload-standby
Example:

asa/act/sec# failover reload-standby

Note If you are connected to the primary unit console port, you should instead enter the reload command
to reload the primary unit.

You may be disconnected from your SSH session.

Step 18 If the failover groups are configured with the preempt command, they automatically become active on their
designated unit after the preempt delay has passed.

Upgrade an Active/Active Failover Pair Using ASDM

To upgrade two units in an Active/Active failover configuration, perform the following steps.

Before you begin

• Perform these steps in the system execution space.
• Place the ASA and ASDM images on your local management computer.

Procedure

Step 1 Launch ASDM on the secondary unit by connecting to the management address in failover group 2.
Step 2 In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
The Upgrade Software dialog box appears.

Step 3 From the Image to Upload drop-down list, choose ASDM.

Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to
find the file on your PC.
Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the
directory or file in the flash file system.
Step 6 Click Upload Image. The uploading process might take a few minutes.
When you are prompted to set this image as the ASDM image, click No. You exit the Upgrade tool.

Step 7 Repeat these steps, choosing ASA from the Image to Upload drop-down list.
When you are prompted to set this image as the ASA image, click No. You exit the Upgrade tool.

Step 8 Connect ASDM to the primary unit by connecting to the management IP address in failover group 1, and
upload the ASDM software, using the same file location you used on the secondary unit.

Cisco ASA Upgrade Guide

63
 Upgrade the ASA Appliance or ASAv
Upgrade an ASA Cluster

Step 9 When you are prompted to set the image as the ASDM image, click Yes.
You are reminded to exit ASDM and save the configuration. Click OK. You exit the Upgrade tool. Note:
You will save the configuration and reload ASDM after you upgrade the ASA software.

Step 10 Upload the ASA software, using the same file location you used for the secondary unit.
Step 11 When you are prompted to set the image as the ASA image, click Yes.
You are reminded to reload the ASA to use the new image. Click OK. You exit the Upgrade tool.

Step 12 Click the Save icon on the toolbar to save your configuration changes.
These configuration changes are automatically saved on the secondary unit.

Step 13 If you are upgrading ASA FirePOWER modules, disable the ASA REST API by choosing Tools > Command
Line Interface, and entering no rest-api enable.
If you do not disable the REST API, the ASA FirePOWER module upgrade will fail.

Step 14 Make both failover groups active on the primary unit by choosing Monitoring > Failover > Failover
Group #, where # is the number of the failover group you want to move to the primary unit, and clicking
Make Active.
Step 15 Upgrade the ASA FirePOWER module on the secondary unit.
For an ASA FirePOWER module managed by ASDM, connect ASDM to the failover group 1 or 2 standby
management IP address. Wait for the upgrade to complete, and then connect ASDM back to the primary unit.

Step 16 Reload the secondary unit by choosing Monitoring > Failover > System, and clicking Reload Standby.
Stay on the System pane to monitor when the secondary unit reloads.

Step 17 After the secondary unit comes up, make both failover groups active on the secondary unit by choosing
Monitoring > Failover > Failover Group #, where # is the number of the failover group you want to move
to the secondary unit, and clicking Make Standby.
ASDM will automatically reconnect to the failover group 1 IP address on the secondary unit.

Step 18 Upgrade the ASA FirePOWER module on the primary unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the failover group 1 or 2 standby
management IP address. Wait for the upgrade to complete, and then connect ASDM back to the secondary
unit.

Step 19 Reload the primary unit by choosing Monitoring > Failover > System, and clicking Reload Standby.
Step 20 If the failover groups are configured with Preempt Enabled, they automatically become active on their
designated unit after the preempt delay has passed. ASDM will automatically reconnect to the failover group
1 IP address on the primary unit.

Upgrade an ASA Cluster

Use the CLI or ASDM to upgrade the ASA Cluster for a zero downtime upgrade.

Cisco ASA Upgrade Guide

64
 Upgrade the ASA Appliance or ASAv
Upgrade an ASA Cluster Using the CLI

Upgrade an ASA Cluster Using the CLI

To upgrade all units in an ASA cluster, perform the following steps. This procedure uses FTP. For TFTP,
HTTP, or other server types, see the copy command in the ASA command reference.

Before you begin

• Perform these steps on the master unit. If you are also upgrading the ASA FirePOWER module, then
you need console or ASDM access on each slave unit. You can configure the ASA prompt to show the
cluster unit and state (master or slave), which is useful to determine which unit you are connected to.
See the prompt command. Alternatively, enter the show cluster info command to view each unit's role.
• You must use the console port; you cannot enable or disable clustering from a remote CLI connection.
• Perform these steps in the system execution space for multiple context mode.

Procedure

Step 1 On the master unit in privileged EXEC mode, copy the ASA software to all units in the cluster.
cluster exec copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name
diskn:/[path/]asa_image_name
Example:

asa/unit1/master# cluster exec copy /noconfirm

ftp://jcrichton:[email protected]/asa991-smp-k8.bin disk0:/asa991-smp-k8.bin

Step 2 Copy the ASDM image to all units in the cluster:

cluster exec copy /noconfirm ftp://[[user[:password]@]server[/path]/asdm_image_name
diskn:/[path/]asdm_image_name
Example:

asa/unit1/master# cluster exec copy /noconfirm ftp://jcrichton:[email protected]/asdm-771791.bin

disk0:/asdm-771791.bin

Step 3 If you are not already in global configuration mode, access it now.
configure terminal
Example:

asa/unit1/master# configure terminal

asa/unit1/master(config)#

Step 4 Show the current boot images configured (up to 4).

show running-config boot system
Example:

asa/unit1/master(config)# show running-config boot system

Cisco ASA Upgrade Guide

65
 Upgrade the ASA Appliance or ASAv
Upgrade an ASA Cluster Using the CLI

boot system disk0:/cdisk.bin

boot system disk0:/asa931-smp-k8.bin

The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so
on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must
remove any existing entries, and enter the image URLs in the order desired, according to the next steps.

Step 5 Remove any existing boot image configurations so that you can enter the new boot image as your first choice:
no boot system diskn:/[path/]asa_image_name
Example:

asa/unit1/master(config)# no boot system disk0:/cdisk.bin

asa/unit1/master(config)# no boot system disk0:/asa931-smp-k8.bin

Step 6 Set the ASA image to boot (the one you just uploaded):
boot system diskn:/[path/]asa_image_name
Example:

asa/unit1/master(config)# boot system disk0://asa991-smp-k8.bin

Repeat this command for any backup images that you want to use in case this image is unavailable. For
example, you can re-enter the images that you previously removed.

Step 7 Set the ASDM image to use (the one you just uploaded):
asdm image diskn:/[path/]asdm_image_name
Example:

asa/unit1/master(config)# asdm image disk0:/asdm-771791.bin

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 8 Save the new settings to the startup configuration:

write memory
These configuration changes are automatically saved on the slave units.

Step 9 If you are upgrading ASA FirePOWER modules, disable the ASA REST API or else the ASA FirePOWER
module upgrade will fail.
no rest-api agent

Step 10 If you are upgrading ASA FirePOWER modules that are managed by ASDM, you will need to connect ASDM
to the individual management IP addresses, so you need to note the IP addresses for each unit.
show running-config interface management_interface_id
Note the cluster-pool poolname used.
show ip[v6] local pool poolname
Note the cluster unit IP addresses.

Cisco ASA Upgrade Guide

66
Upgrade the ASA Appliance or ASAv
Upgrade an ASA Cluster Using the CLI

Example:

asa/unit2/slave# show running-config interface gigabitethernet0/0

!
interface GigabitEthernet0/0
management-only
nameif inside
security-level 100
ip address 10.86.118.1 255.255.252.0 cluster-pool inside-pool
asa/unit2/slave# show ip local pool inside-pool
Begin End Mask Free Held In use
10.86.118.16 10.86.118.17 255.255.252.0 0 0 2

Cluster Unit IP Address Allocated

unit2 10.86.118.16
unit1 10.86.118.17
asa1/unit2/slave#

Step 11 Upgrade the slave units.

Choose the procedure below depending on whether you are also upgrading ASA FirePOWER modules. The
ASA FirePOWER procedures minimize the number of ASA reloads when also upgrading the ASA FirePOWER
module. You can choose to use the slave Console or ASDM for these procedures. You may want to use ASDM
instead of the Console if you do not have ready access to all of the console ports but can reach ASDM over
the network.
Note During the upgrade process, never use the cluster master unit command to force a slave unit to
become master; you can cause network connectivity and cluster stability-related problems. You
must upgrade and reload all slave units first, and then continue with this procedure to ensure a
smooth transition from the current master unit to a new master unit.

If you do not have ASA FirePOWER module upgrades:

a) On the master unit, to view member names, enter cluster exec unit ?, or enter the show cluster info
command.
b) Reload a slave unit.
cluster exec unit slave-unit reload noconfirm
Example:

asa/unit1/master# cluster exec unit unit2 reload noconfirm

c) Repeat for each slave unit.

To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin the
cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a unit
rejoins the cluster, enter show cluster info.

If you also have ASA FirePOWER module upgrades (using the slave Console):
a) Connect to the console port of a slave unit, and enter global configuration mode.
enable
configure terminal

Cisco ASA Upgrade Guide

67
 Upgrade the ASA Appliance or ASAv
Upgrade an ASA Cluster Using the CLI

Example:

asa/unit2/slave> enable
Password:
asa/unit2/slave# configure terminal
asa/unit2/slave(config)#

b) Disable clustering.
cluster group name
no enable
Do not save this configuration; you want clustering to be enabled when you reload. You need to disable
clustering to avoid multiple failures and rejoins during the upgrade process; this unit should only rejoin
after all of the upgrading and reloading is complete.
Example:

asa/unit2/slave(config)# cluster group cluster1

asa/unit2/slave(cfg-cluster)# no enable
Cluster disable is performing cleanup..done.
All data interfaces have been shutdown due to clustering being disabled. To recover
either enable clustering or remove cluster group configuration.

Cluster unit unit2 transitioned from SLAVE to DISABLED

asa/unit2/ClusterDisabled(cfg-cluster)#

c) Upgrade the ASA FirePOWER module on this slave unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the individual management IP
address that you noted earlier. Wait for the upgrade to complete.
d) Reload the slave unit.
reload noconfirm
e) Repeat for each slave unit.
To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin the
cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a unit
rejoins the cluster, enter show cluster info.

If you also have ASA FirePOWER module upgrades (using ASDM):

a) Connect ASDM to the individual management IP address of this slave unit that you noted earlier.
b) Choose Configuration > Device ManagementHigh Availability and Scalability > ASA Cluster >
Cluster Configuration > .
c) Uncheck the Participate in ASA cluster check box.
You need to disable clustering to avoid multiple failures and rejoins during the upgrade process; this
unit should only rejoin after all of the upgrading and reloading is complete.
Do not uncheck the Configure ASA cluster settings check box; this action clears all cluster
configuration, and also shuts down all interfaces including the management interface to which ASDM
is connected. To restore connectivity in this case, you need to access the CLI at the console port.

Cisco ASA Upgrade Guide

68
Upgrade the ASA Appliance or ASAv
Upgrade an ASA Cluster Using the CLI

Note Some older versions of ASDM do not support disabling the cluster on this screen; in this case,
use the Tools > Command Line Interface tool, click the Multiple Line radio button, and
enter cluster group name and no enable. You can view the cluster group name in the Home >
Device Dashboard > Device Information > ASA Cluster area.

d) Click Apply.
e) You are prompted to exit ASDM. Reconnect ASDM to the same IP address.
f) Upgrade the ASA FirePOWER module.
Wait for the upgrade to complete.
g) In ASDM, choose Tools > System Reload.
h) Click the Reload without saving the running configuration radio button.
You do not want to save the configuration; when this unit reloads, you want clustering to be enabled
on it.
i) Click Schedule Reload.
j) Click Yes to continue the reload.
k) Repeat for each slave unit.
To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin
the cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a
unit rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane on the master
unit.

Step 12 Upgrade the master unit.

a) Disable clustering.
cluster group name
no enable
Wait for 5 minutes for a new master unit to be selected and traffic to stabilize.
Do not save this configuration; you want clustering to be enabled when you reload.
We recommend manually disabling cluster on the master unit if possible so that a new master unit can be
elected as quickly and cleanly as possible.
Example:

asa/unit1/master(config)# cluster group cluster1

asa/unit1/master(cfg-cluster)# no enable
Cluster disable is performing cleanup..done.
All data interfaces have been shutdown due to clustering being disabled. To recover
either enable clustering or remove cluster group configuration.

Cluster unit unit1 transitioned from MASTER to DISABLED

asa/unit1/ClusterDisabled(cfg-cluster)#

b) Upgrade the ASA FirePOWER module on this unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the individual management IP
address that you noted earlier. The main cluster IP address now belongs to the new master unit; this former
master unit is still accessible on its individual management IP address.
Wait for the upgrade to complete.

Cisco ASA Upgrade Guide

69
 Upgrade the ASA Appliance or ASAv
Upgrade an ASA Cluster Using ASDM

c) Reload this unit.

reload noconfirm
When the former master unit rejoins the cluster, it will be a slave unit.

Upgrade an ASA Cluster Using ASDM

To upgrade all units in an ASA cluster, perform the following steps.

Before you begin

• Perform these steps on the master unit. If you are also upgrading the ASA FirePOWER module, then
you need ASDM access to each slave unit.
• Perform these steps in the system execution space for multiple context mode.
• Place the ASA and ASDM images on your local management computer.

Procedure

Step 1 Launch ASDM on the master unit by connecting to the main cluster IP address.
This IP address always stays with the master unit.

Step 2 In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
The Upgrade Software from Local Computer dialog box appears.

Step 3 Click the All devices in the cluster radio button.

The Upgrade Software dialog box appears.

Step 4 From the Image to Upload drop-down list, choose ASDM.

Step 5 In the Local File Path field, click Browse Local Files to find the file on your computer.
Step 6 (Optional) In the Flash File System Path field, enter the path to the flash file system or click Browse Flash
to find the directory or file in the flash file system.
By default, this field is prepopulated with the following path: disk0:/filename.

Step 7 Click Upload Image. The uploading process might take a few minutes.
Step 8 You are prompted to set this image as the ASDM image. Click Yes.
Step 9 You are reminded to exit ASDM and save the configuration. Click OK.
You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the
ASA software.

Step 10 Repeat these steps, choosing ASA from the Image to Upload drop-down list.
Step 11 Click the Save icon on the toolbar to save your configuration changes.
These configuration changes are automatically saved on the slave units.

Cisco ASA Upgrade Guide

70
Upgrade the ASA Appliance or ASAv
Upgrade an ASA Cluster Using ASDM

Step 12 Take note of the individual management IP addresses for each unit on Configuration > Device Management
> High Availability and Scalability > ASA Cluster > Cluster Members so that you can connect ASDM
directly to slave units later.
Step 13 If you are upgrading ASA FirePOWER modules, disable the ASA REST API by choosing Tools > Command
Line Interface, and entering no rest-api enable.
If you do not disable the REST API, the ASA FirePOWER module upgrade will fail.

Step 14 Upgrade the slave units.

Choose the procedure below depending on whether you are also upgrading ASA FirePOWER modules. The
ASA FirePOWER procedure minimizes the number of ASA reloads when also upgrading the ASA FirePOWER
module.
Note During the upgrade process, never use the Monitoring > ASA Cluster > Cluster Summary >
Change Master To drop-down list to force a slave unit to become master; you can cause network
connectivity and cluster stability-related problems. You must reload all slave units first, and then
continue with this procedure to ensure a smooth transition from the current master unit to a new
master unit.

If you do not have ASA FirePOWER module upgrades:

a) On the master unit, choose Tools > System Reload.
b) Choose a slave unit name from the Device drop-down list.
c) Click Schedule Reload.
d) Click Yes to continue the reload.
e) Repeat for each slave unit.
To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin the
cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a unit
rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane.

If you also have ASA FirePOWER module upgrades:

a) On the master unit, choose Configuration > Device Management > High Availability and Scalability
> ASA Cluster > Cluster Members.
b) Select the slave unit that you want to upgrade, and click Delete.
c) Click Apply.
d) Exit ASDM, and connect ASDM to the slave unit by connecting to its individual management IP address
that you noted earlier.
e) Upgrade the ASA FirePOWER module.
Wait for the upgrade to complete.
f) In ASDM, choose Tools > System Reload.
g) Click the Reload without saving the running configuration radio button.
You do not want to save the configuration; when this unit reloads, you want clustering to be enabled
on it.
h) Click Schedule Reload.
i) Click Yes to continue the reload.
j) Repeat for each slave unit.

Cisco ASA Upgrade Guide

71
 Upgrade the ASA Appliance or ASAv
Upgrade the ASA on the Firepower 2100

To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin
the cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a
unit rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane.

Step 15 Upgrade the master unit.

a) In ASDM on the master unit, choose Configuration > Device Management > High Availability and
Scalability > ASA Cluster > Cluster Configuration pane.
b) Uncheck the Participate in ASA cluster check box, and click Apply.
You are prompted to exit ASDM.
c) Wait for up to 5 minutes for a new master unit to be selected and traffic to stabilize.
When the former master unit rejoins the cluster, it will be a slave unit.
d) Re-connect ASDM to the former master unit by connecting to its individual management IP address that
you noted earlier.
The main cluster IP address now belongs to the new master unit; this former master unit is still accessible
on its individual management IP address.
e) Upgrade the ASA FirePOWER module.
Wait for the upgrade to complete.
f) Choose Tools > System Reload.
g) Click the Reload without saving the running configuration radio button.
You do not want to save the configuration; when this unit reloads, you want clustering to be enabled on
it.
h) Click Schedule Reload.
i) Click Yes to continue the reload.
You are prompted to exit ASDM. Restart ASDM on the main cluster IP address; you will reconnect to
the new master unit.

Upgrade the ASA on the Firepower 2100

This document describes how to plan and implement an ASA, FXOS, and ASDM upgrade for standalone or
failover deployments.

Upgrade a Standalone Unit

Use the FXOS CLI or Firepower Chassis Manager to upgrade the standalone unit.

Upgrade a Standalone Unit Using the Firepower Chassis Manager

This section describes how to upgrade the ASA bundle for a standalone unit. You will upload the package
from your management computer.

Cisco ASA Upgrade Guide

72
 Upgrade the ASA Appliance or ASAv
Upgrade a Standalone Unit Using the FXOS CLI

Procedure

Step 1 Connect to the Firepower Chassis Manager.

Step 2 Choose System > Updates.
The Available Updates area shows a list of the packages available on the chassis.
Step 3 Click Upload Image to upload the new package from your management computer.
Step 4 Click Choose File to navigate to and select the package that you want to upload.
Step 5 Click Upload.
The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status. Wait
for the Success dialog box, and click OK. After completing the upload, the integrity of the image is
automatically verified.

Step 6 Click the Upgrade icon to the right of the new package.
Step 7 Click Yes to confirm that you want to proceed with installation.
There is no indicator that the new package is being loaded. You will still see the Firepower Chassis Manager
at the beginning of the upgrade process. When the system reboots, you will be logged out. You must wait for
the system to come back up before you can log in to the Firepower Chassis Manager. The reboot process takes
approximately 20 minutes. After the reboot, you will see the login screen.

Upgrade a Standalone Unit Using the FXOS CLI

This section describes how to upgrade the ASA bundle for a standalone unit. You can use FTP, SCP, SFTP,
or TFTP to copy the package to the Firepower 2100 chassis.

Procedure

Step 1 Connect to the FXOS CLI, either the console port (preferred) or using SSH.
Step 2 Download the package to the chassis.
a) Enter firmware mode.
scope firmware
Example:

firepower-2110# scope firmware

firepower-2110 /firmware#

b) Download the package.

download image url
Specify the URL for the file being imported using one of the following:
• ftp://username@server/[path/]image_name
• scp://username@server/[path/]image_name
• sftp://username@server/[path/]image_name

Cisco ASA Upgrade Guide

73
 Upgrade the ASA Appliance or ASAv
Upgrade a Standalone Unit Using the FXOS CLI

• tftp://server[:port]/[path/]image_name

Example:

firepower-2110 /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA

Please use the command 'show download-task' or 'show download-task detail' to check
download progress.

c) Monitor the download process.

show download-task
Example:

firepower-2110 /firmware # show download

Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.8.2.SPA
Tftp 10.88.29.181 0 Downloaded
cisco-asa-fp2k.9.8.2.2.SPA
Tftp 10.88.29.181 0 Downloading
firepower-2110 /firmware #

Step 3 When the new package finishes downloading (Downloaded state), boot the package.
a) View the version number of the new package.
show package
Example:

firepower-2110 /firmware # show package

Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.2.SPA 9.8.2
cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2
firepower-2110 /firmware #

b) Install the package.

scope auto-install
install security-pack version version
In the show package output, copy the Package-Vers value for the security-pack version number. The
chassis installs the ASA image and reboots.
Example:

firepower 2110 /firmware # scope auto-install

firepower-2110 /firmware/auto-install # install security-pack version 9.8.2.2

The system is currently installed with security software package 9.8.2, which has:
- The platform version: 2.2.2.52
- The CSP (asa) version: 9.8.2
If you proceed with the upgrade 9.8.2.2, it will do the following:
- upgrade to the CSP asa version 9.8.2.2

Cisco ASA Upgrade Guide

74
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair

Do you want to proceed ? (yes/no): yes

This operation upgrades firmware and software on Security Platform Components

Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
If you proceed the system will be re-imaged. All existing configuration will be lost,

and the default configuration applied.

Do you want to proceed? (yes/no): yes

Triggered the install of software package version 9.8.2.2

Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower-2110 /firmware/auto-install #

Note Ignore the message, "All existing configuration will be lost, and the default configuration
applied." The configuration will not be erased, and the default configuration is not applied. The
default configuration is only applied during a reimage, not an upgrade.

Step 4 Wait for the chassis to finish rebooting (5-10 minutes).

Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the
following messages:

firepower-2110#
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Verifying signature for cisco-asa.9.8.2.2 ...
Verifying signature for cisco-asa.9.8.2.2 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''

Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully.
[…]

Upgrade an Active/Standby Failover Pair

Use the FXOS CLI or Firepower Chassis Manager to upgrade the Active/Standby failover pair for a zero
downtime upgrade.

Upgrade an Active/Standby Failover Pair Using the Firepower Chassis Manager

This section describes how to upgrade the ASA bundle for an Active/Standby failover pair. You will upload
the package from your management computer.

Cisco ASA Upgrade Guide

75
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using the Firepower Chassis Manager

Before you begin

You need to determine which unit is active and which is standby: connect ASDM to the active ASA IP address.
The active unit always owns the active IP address. Then choose Monitoring > Properties > Failover > Status
to view this unit's priority (primary or secondary) so you know which unit you are connected to.

Procedure

Step 1 Upgrade the standby unit.

a) Connect to the Firepower Chassis Manager on the standby unit.
b) Choose System > Updates.
The Available Updates area shows a list of the packages available on the chassis.
c) Click Upload Image to upload the new package from your management computer.
d) Click Choose File to navigate to and select the package that you want to upload.
e) Click Upload.
The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status.
Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image
is automatically verified.
f) Click the Upgrade icon to the right of the new package.
g) Click Yes to confirm that you want to proceed with installation.
There is no indicator that the new package is being loaded. You will still see the Firepower Chassis
Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You
must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The
reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.

Step 2 Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit.
a) Launch ASDM on the standby unit by connecting to the standby ASA IP address.
b) Force the standby unit to become active by choosing Monitoring > Properties > Failover > Status,
and clicking Make Active.
Step 3 Upgrade the former active unit.
a) Connect to the Firepower Chassis Manager on the former active unit.
b) Choose System > Updates.
The Available Updates area shows a list of the packages available on the chassis.
c) Click Upload Image to upload the new package from your management computer.
d) Click Choose File to navigate to and select the package that you want to upload.
e) Click Upload.
The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status.
Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image
is automatically verified.
f) Click the Upgrade icon to the right of the new package.
g) Click Yes to confirm that you want to proceed with installation.
There is no indicator that the new package is being loaded. You will still see the Firepower Chassis
Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You

Cisco ASA Upgrade Guide

76
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using the FXOS CLI

must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The
reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.

Upgrade an Active/Standby Failover Pair Using the FXOS CLI

This section describes how to upgrade the ASA bundle for an Active/Standby failover pair. You can use FTP,
SCP, SFTP, or TFTP to copy the package to the Firepower 2100 chassis.

Before you begin

You need to determine which unit is active and which is standby. To determine the failover status, look at the
ASA prompt; you can configure the ASA prompt to show the failover status and priority (primary or secondary),
which is useful to determine which unit you are connected to. See the prompt command. However, the FXOS
prompt is not aware of ASA failover. Alternatively, enter the ASA show failover command to view this unit's
status and priority (primary or secondary).

Procedure

Step 1 Upgrade the standby unit.

a) Connect to the FXOS CLI on the standby unit, either the console port (preferred) or using SSH.
b) Enter firmware mode.
scope firmware
Example:

2110-sec# scope firmware

2110-sec /firmware#

c) Download the package.

download image url
Specify the URL for the file being imported using one of the following:
• ftp://username@server/[path/]image_name
• scp://username@server/[path/]image_name
• sftp://username@server/[path/]image_name
• tftp://server[:port]/[path/]image_name

Example:

2110-sec /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA

Please use the command 'show download-task' or 'show download-task detail' to check
download progress.

d) Monitor the download process.

show download-task

Cisco ASA Upgrade Guide

77
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using the FXOS CLI

Example:

2110-sec /firmware # show download

Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.8.2.SPA
Tftp 10.88.29.181 0 Downloaded
cisco-asa-fp2k.9.8.2.2.SPA
Tftp 10.88.29.181 0 Downloading
2110-sec /firmware #

e) When the new package finishes downloading (Downloaded state), boot the package. View the version
number of the new package.
show package
Example:

2110-sec /firmware # show package

Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.2.SPA 9.8.2
cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2
2110-sec /firmware #

f) Install the package.

scope auto-install
install security-pack version version
In the show package output, copy the Package-Vers value for the security-pack version number. The
chassis installs the ASA image and reboots.
Example:

2110-sec /firmware # scope auto-install

2110-sec /firmware/auto-install # install security-pack version 9.8.2.2

The system is currently installed with security software package 9.8.2, which has:
- The platform version: 2.2.2.52
- The CSP (asa) version: 9.8.2
If you proceed with the upgrade 9.8.2.2, it will do the following:
- upgrade to the CSP asa version 9.8.2.2

Do you want to proceed ? (yes/no): yes

This operation upgrades firmware and software on Security Platform Components

Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
If you proceed the system will be re-imaged. All existing configuration will be lost,

and the default configuration applied.

Do you want to proceed? (yes/no): yes

Triggered the install of software package version 9.8.2.2

Cisco ASA Upgrade Guide

78
Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using the FXOS CLI

Install started. This will take several minutes.

For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
2110-sec /firmware/auto-install #

Note Ignore the message, "All existing configuration will be lost, and the default configuration
applied." The configuration will not be erased, and the default configuration is not applied. The
default configuration is only applied during a reimage, not an upgrade.

g) Wait for the chassis to finish rebooting (5-10 minutes).

Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the
following messages:

2110-sec#
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Verifying signature for cisco-asa.9.8.2.2 ...
Verifying signature for cisco-asa.9.8.2.2 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''

Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully.
[…]

Step 2 Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit.
a) Connect to the standby ASA CLI from FXOS.
connect asa
enable
The enable password is blank by default.
Example:

2110-sec# connect asa

Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
asa/stby/sec> enable
Password: <blank>
asa/stby/sec#

b) Force to the standby unit to become active.

failover active
Example:

asa/stby/sec> failover active

asa/act/sec#

c) To return to the FXOS console, enter Ctrl+a, d.

Step 3 Upgrade the former active unit.
a) Connect to the FXOS CLI on the former active unit, either the console port (preferred) or using SSH.
b) Enter firmware mode.

Cisco ASA Upgrade Guide

79
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using the FXOS CLI

scope firmware
Example:

2110-pri# scope firmware

2110-pri /firmware#

c) Download the package.

download image url
Specify the URL for the file being imported using one of the following:
• ftp://username@server/[path/]image_name
• scp://username@server/[path/]image_name
• sftp://username@server/[path/]image_name
• tftp://server[:port]/[path/]image_name

Example:

2110-pri /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA

Please use the command 'show download-task' or 'show download-task detail' to check
download progress.

d) Monitor the download process.

show download-task
Example:

2110-pri /firmware # show download

Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.8.2.SPA
Tftp 10.88.29.181 0 Downloaded
cisco-asa-fp2k.9.8.2.2.SPA
Tftp 10.88.29.181 0 Downloading
2110-pri /firmware #

e) When the new package finishes downloading (Downloaded state), boot the package. View the version
number of the new package.
show package
Example:

2110-pri /firmware # show package

Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.2.SPA 9.8.2
cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2
2110-pri /firmware #

Cisco ASA Upgrade Guide

80
Upgrade the ASA Appliance or ASAv
Upgrade an Active/Standby Failover Pair Using the FXOS CLI

f) Install the package.

scope auto-install
install security-pack version version
In the show package output, copy the Package-Vers value for the security-pack version number. The
chassis installs the ASA image and reboots.
Example:

2110-pri /firmware # scope auto-install

2110-pri /firmware/auto-install # install security-pack version 9.8.2.2

The system is currently installed with security software package 9.8.2, which has:
- The platform version: 2.2.2.52
- The CSP (asa) version: 9.8.2
If you proceed with the upgrade 9.8.2.2, it will do the following:
- upgrade to the CSP asa version 9.8.2.2

Do you want to proceed ? (yes/no): yes

This operation upgrades firmware and software on Security Platform Components

Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
If you proceed the system will be re-imaged. All existing configuration will be lost,

and the default configuration applied.

Do you want to proceed? (yes/no): yes

Triggered the install of software package version 9.8.2.2

Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
2110-pri /firmware/auto-install #

Note Ignore the message, "All existing configuration will be lost, and the default configuration
applied." The configuration will not be erased, and the default configuration is not applied. The
default configuration is only applied during a reimage, not an upgrade.

g) Wait for the chassis to finish rebooting (5-10 minutes).

Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the
following messages:

2110-pri#
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Verifying signature for cisco-asa.9.8.2.2 ...
Verifying signature for cisco-asa.9.8.2.2 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''

Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully.
[…]

Cisco ASA Upgrade Guide

81
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair

Upgrade an Active/Active Failover Pair

Use the FXOS CLI or Firepower Chassis Manager to upgrade the Active/Active failover pair for a zero
downtime upgrade.

Upgrade an Active/Active Failover Pair Using the Firepower Chassis Manager

This section describes how to upgrade the ASA bundle for an Active/Active failover pair. You will upload
the package from your management computer.

Procedure

Step 1 Make both failover groups active on the primary unit.

a) Launch ASDM on the primary unit (or the unit with failover group 1 active) by connecting to the
management address in failover group 1.
b) Choose Monitoring > Failover > Failover Group 2, and click Make Active.
c) Stay connected to ASDM on this unit for later steps.
Step 2 Upgrade the secondary unit.
a) Connect to the Firepower Chassis Manager on the secondary unit.
b) Choose System > Updates.
The Available Updates area shows a list of the packages available on the chassis.
c) Click Upload Image to upload the new package from your management computer.
d) Click Choose File to navigate to and select the package that you want to upload.
e) Click Upload.
The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status.
Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image
is automatically verified.
f) Click the Upgrade icon to the right of the new package.
g) Click Yes to confirm that you want to proceed with installation.
There is no indicator that the new package is being loaded. You will still see the Firepower Chassis
Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You
must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The
reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.

Step 3 Make both failover groups active on the secondary unit. In ASDM on the primary unit, choose Monitoring
> Failover > Failover Group 1, and click Make Standby.
ASDM will automatically reconnect to the failover group 1 IP address on the secondary unit.

Step 4 Upgrade the primary unit.

a) Connect to the Firepower Chassis Manager on the primary unit.
b) Choose System > Updates.
The Available Updates area shows a list of the packages available on the chassis.
c) Click Upload Image to upload the new package from your management computer.
d) Click Choose File to navigate to and select the package that you want to upload.
e) Click Upload.

Cisco ASA Upgrade Guide

82
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using the FXOS CLI

The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status.
Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image
is automatically verified.
f) Click the Upgrade icon to the right of the new package.
g) Click Yes to confirm that you want to proceed with installation.
There is no indicator that the new package is being loaded. You will still see the Firepower Chassis
Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You
must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The
reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.

Step 5 If the failover groups are configured with Preempt Enabled, they automatically become active on their
designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt
Enabled, you can return them to active status on their designated units using the ASDM Monitoring > Failover
> Failover Group # pane.

Upgrade an Active/Active Failover Pair Using the FXOS CLI

This section describes how to upgrade the ASA bundle for an Active/Active failover pair. You can use FTP,
SCP, SFTP, or TFTP to copy the package to the Firepower 2100 chassis.

Procedure

Step 1 Connect to the FXOS CLI on the secondary unit, either the console port (preferred) or using SSH.
Step 2 Make both failover groups active on the primary unit.
a) Connect to the ASA CLI from FXOS.
connect asa
enable
The enable password is blank by default.
Example:

2110-sec# connect asa

Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
asa/act/sec> enable
Password: <blank>
asa/act/sec#

b) Make both failover groups active on the primary unit.

no failover active group 1
no failover active group 2
Example:

asa/act/sec# no failover active group 1

asa/act/sec# no failover active group 2

Cisco ASA Upgrade Guide

83
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using the FXOS CLI

c) Enter Ctrl+a, d to return to the FXOS console.

Step 3 Upgrade the secondary unit.
a) In FXOS, enter firmware mode.
scope firmware
Example:

2110-sec# scope firmware

2110-sec /firmware#

b) Download the package.

download image url
Specify the URL for the file being imported using one of the following:
• ftp://username@server/[path/]image_name
• scp://username@server/[path/]image_name
• sftp://username@server/[path/]image_name
• tftp://server[:port]/[path/]image_name

Example:

2110-sec /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA

Please use the command 'show download-task' or 'show download-task detail' to check
download progress.

c) Monitor the download process.

show download-task
Example:

2110-sec /firmware # show download

Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.8.2.SPA
Tftp 10.88.29.181 0 Downloaded
cisco-asa-fp2k.9.8.2.2.SPA
Tftp 10.88.29.181 0 Downloading
2110-sec /firmware #

d) When the new package finishes downloading (Downloaded state), boot the package. View the version
number of the new package.
show package
Example:

2110-sec /firmware # show package

Name Package-Vers
--------------------------------------------- ------------

Cisco ASA Upgrade Guide

84
Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using the FXOS CLI

cisco-asa-fp2k.9.8.2.SPA 9.8.2
cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2
2110-sec /firmware #

e) Install the package.

scope auto-install
install security-pack version version
In the show package output, copy the Package-Vers value for the security-pack version number. The
chassis installs the ASA image and reboots.
Example:

2110-sec /firmware # scope auto-install

2110-sec /firmware/auto-install # install security-pack version 9.8.2.2

The system is currently installed with security software package 9.8.2, which has:
- The platform version: 2.2.2.52
- The CSP (asa) version: 9.8.2
If you proceed with the upgrade 9.8.2.2, it will do the following:
- upgrade to the CSP asa version 9.8.2.2

Do you want to proceed ? (yes/no): yes

This operation upgrades firmware and software on Security Platform Components

Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
If you proceed the system will be re-imaged. All existing configuration will be lost,

and the default configuration applied.

Do you want to proceed? (yes/no): yes

Triggered the install of software package version 9.8.2.2

Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
2110-sec /firmware/auto-install #

Note Ignore the message, "All existing configuration will be lost, and the default configuration
applied." The configuration will not be erased, and the default configuration is not applied. The
default configuration is only applied during a reimage, not an upgrade.

f) Wait for the chassis to finish rebooting (5-10 minutes).

Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the
following messages:

2110-sec#
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Verifying signature for cisco-asa.9.8.2.2 ...
Verifying signature for cisco-asa.9.8.2.2 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''

Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully.

Cisco ASA Upgrade Guide

85
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using the FXOS CLI

[…]

Step 4 Make both failover groups active on the secondary unit.

a) Connect to the ASA CLI from FXOS.
connect asa
enable
The enable password is blank by default.
Example:

2110-sec# connect asa

Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
asa/stby/sec> enable
Password: <blank>
asa/stby/sec#

b) Make both failover groups active on the secondary unit.

failover active group 1
failover active group 2
Example:

asa/stby/sec# failover active group 1

asa/act/sec# failover active group 2

c) Enter Ctrl+a, d to return to the FXOS console.

Step 5 Upgrade the primary unit.
a) Connect to the FXOS CLI on the primary unit, either the console port (preferred) or using SSH.
b) Enter firmware mode.
scope firmware
Example:

2110-pri# scope firmware

2110-pri /firmware#

c) Download the package.

download image url
Specify the URL for the file being imported using one of the following:
• ftp://username@server/[path/]image_name
• scp://username@server/[path/]image_name
• sftp://username@server/[path/]image_name
• tftp://server[:port]/[path/]image_name

Cisco ASA Upgrade Guide

86
Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using the FXOS CLI

Example:

2110-pri /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA

Please use the command 'show download-task' or 'show download-task detail' to check
download progress.

d) Monitor the download process.

show download-task
Example:

2110-pri /firmware # show download

Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp2k.9.8.2.SPA
Tftp 10.88.29.181 0 Downloaded
cisco-asa-fp2k.9.8.2.2.SPA
Tftp 10.88.29.181 0 Downloading
2110-pri /firmware #

e) When the new package finishes downloading (Downloaded state), boot the package. View the version
number of the new package.
show package
Example:

2110-pri /firmware # show package

Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp2k.9.8.2.SPA 9.8.2
cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2
2110-pri /firmware #

f) Install the package.

scope auto-install
install security-pack version version
In the show package output, copy the Package-Vers value for the security-pack version number. The
chassis installs the ASA image and reboots.
Example:

2110-pri /firmware # scope auto-install

2110-pri /firmware/auto-install # install security-pack version 9.8.2.2

The system is currently installed with security software package 9.8.2, which has:
- The platform version: 2.2.2.52
- The CSP (asa) version: 9.8.2
If you proceed with the upgrade 9.8.2.2, it will do the following:
- upgrade to the CSP asa version 9.8.2.2

Do you want to proceed ? (yes/no): yes

This operation upgrades firmware and software on Security Platform Components

Cisco ASA Upgrade Guide

87
 Upgrade the ASA Appliance or ASAv
Upgrade an Active/Active Failover Pair Using the FXOS CLI

Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Attention:
If you proceed the system will be re-imaged. All existing configuration will be lost,

and the default configuration applied.

Do you want to proceed? (yes/no): yes

Triggered the install of software package version 9.8.2.2

Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
2110-pri /firmware/auto-install #

Note Ignore the message, "All existing configuration will be lost, and the default configuration
applied." The configuration will not be erased, and the default configuration is not applied. The
default configuration is only applied during a reimage, not an upgrade.

g) Wait for the chassis to finish rebooting (5-10 minutes).

Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the
following messages:

2110-pri#
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''
Verifying signature for cisco-asa.9.8.2.2 ...
Verifying signature for cisco-asa.9.8.2.2 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG=''

Cisco ASA starting ...
Registering to process manager ...
Cisco ASA started successfully.
[…]

Step 6 If the failover groups are configured with the ASA preempt command, they automatically become active on
their designated unit after the preempt delay has passed. If the failover groups are not configured with the
preempt command, you can return them to active status on their designated units by connecting to the ASA
CLI and using the failover active group command.

Cisco ASA Upgrade Guide

88
 CHAPTER 3
Upgrade the ASA FirePOWER Module
This document describes how to upgrade the ASA FirePOWER module using ASDM or the Firepower
Management Center, depending on your management choice. Refer to Upgrade the ASA Appliance or ASAv,
on page 51 to determine when you should perform the FirePOWER upgrade in a standalone, failover, or
clustering scenario.
• ASA FirePOWER Upgrade Behavior, on page 89
• Upgrade an ASA FirePOWER Module Managed by ASDM, on page 90
• Upgrade the Firepower Management Center, on page 91
• Upgrade an ASA FirePOWER Module Managed by FMC, on page 94

ASA FirePOWER Upgrade Behavior

Your ASA service policies for redirecting traffic to the ASA FirePOWER module determine how the module
handles traffic during the Firepower software upgrade, including when you deploy certain configurations that
restart the Snort process.

Traffic Redirection Policy Traffic Behavior

Fail open (sfr fail-open) Passed without inspection

Fail closed (sfr fail-close) Dropped

Monitor only (sfr {fail-close}|{fail-open} monitor-only) Egress packet immediately, copy

not inspected

Traffic Behavior During Deployment

Traffic behavior while the Snort process restarts is the same as when you upgrade the ASA FirePOWER
module. You deploy configurations multiple times during the upgrade process. The Snort process typically
restarts during the first deployment immediately after the upgrade. It does not restart during other deployments
unless, before deploying, you modify specific policy or device configurations.
When you deploy, resources demands may result in a small number of packets dropping without inspection.
Additionally, restarting the Snort process interrupts traffic inspection . Your service policies determine whether
traffic drops or passes without inspection during the interruption.

Cisco ASA Upgrade Guide

89
 Upgrade the ASA FirePOWER Module
Upgrade an ASA FirePOWER Module Managed by ASDM

Upgrade an ASA FirePOWER Module Managed by ASDM

Use the following procedure to upgrade ASA FirePOWER modules managed by ASDM.

Caution Do not make configuration changes, manually reboot, or shut down an upgrading module. Do not restart an
upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you
encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Procedure

Step 1 Make sure you are running a supported version of ASA.

There is wide compatibility between ASA and ASA FirePOWER versions. However, even if an ASA upgrade
is not strictly required, resolving issues may require an upgrade to the latest supported version.
See the ASA upgrade procedures for standalone, failover, and clustering scenarios for when to upgrade the
ASA FirePOWER module in the sequence. Even if you are not upgrading the ASA software, you should still
refer to the ASA failover and clustering upgrade procedures so you can perform a failover or disable clustering
on a unit before the module upgrade to avoid traffic loss. For example, in a cluster, you should upgrade each
secondary unit serially (which involves disabling clustering, upgrading the module, then reenabling clustering),
and then upgrade the primary unit.

Step 2 Download the upgrade package from Cisco.com.

For major versions:
• Upgrading to Version 6.0 through 6.2.2 — Cisco_Network_Sensor_Upgrade-[version]-[build].sh
• Upgrading to Version 6.2.3+ — Cisco_Network_Sensor_Upgrade-[version]-[build].sh.REL.tar

For patches:
• Upgrading to 5.4.1.x through 6.2.1.x — Cisco_Network_Sensor_Patch-[version]-[build].sh
• Upgrading to Version 6.2.2.1+ — Cisco_Network_Sensor_Patch-[version]-[build].sh.REL.tar

Download directly from the Cisco Support & Download site. If you transfer a package by email, it may become
corrupted. Note that upgrade packages from Version 6.2.2+ are signed, and terminate in .sh.REL.tar instead
of just .sh. Do not untar signed upgrade packages.

Step 3 Connect to the ASA with ASDM and upload the upgrade package.
a) Choose Configuration > ASA FirePOWER Configuration > Updates.
b) Click Upload Update.
c) Click Choose File to navigate to and choose the update.
d) Click Upload.
Step 4 Deploy pending configuration changes. Otherwise, the upgrade may fail.
When you deploy, resource demands may result in a small number of packets dropping without inspection.
Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending

Cisco ASA Upgrade Guide

90
 Upgrade the ASA FirePOWER Module
Upgrade the Firepower Management Center

on how your device handles traffic, may interrupt traffic until the restart completes. For more information,
see ASA FirePOWER Upgrade Behavior, on page 89.

Step 5 (Upgrading to Version 6.1+) Disable the ASA REST API.

If you do not disable the REST API, the upgrade will fail. Note that ASA 5506-X series devices do not support
the ASA REST API if you are also running Version 6.0+ of the ASA FirePOWER module.
Use the CLI on the ASA to disable the REST API:
no rest-api agent
You can reenable it after the upgrade:
rest-api agent

Step 6 Choose Monitoring > ASA FirePOWER Monitoring > Task Status to make sure essential tasks are complete.
Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed. You can
manually delete failed status messages later.

Step 7 Choose Configuration > ASA FirePOWER Configuration > Updates.

Step 8 Click the Install icon next to the upgrade package you uploaded, then confirm that you want to upgrade and
reboot the module.
Traffic either drops throughout the upgrade or traverses the network without inspection, depending on how
the module is configured. For more information, see ASA FirePOWER Upgrade Behavior, on page 89.

Step 9 Monitor upgrade progress on the Task Status page.

Do not make configuration changes to the module while it is upgrading. Even if the upgrade status shows no
progress for several minutes or indicates that the upgrade has failed, do not restart the upgrade or reboot the
module. Instead, contact Cisco TAC.

Step 10 After the upgrade finishes, reconnect ASDM to the ASA.

Step 11 Choose Configuration > ASA FirePOWER Configuration and click Refresh. Otherwise, the interface may
exhibit unexpected behavior.
Step 12 Choose Configuration > ASA FirePOWER Configuration > System Information and confirm that the
module has the correct software version.
Step 13 If the intrusion rule update or the vulnerability database (VDB) available on the Support site is newer than
the version currently running, install the newer version.
Step 14 Complete any post-upgrade configuration changes described in the release notes.
Step 15 Redeploy configurations.

Upgrade the Firepower Management Center

If you manage the ASA FirePOWER module using the Firepower Management Center, then you need to
upgrade the Management Center before you upgrade the module.

Cisco ASA Upgrade Guide

91
 Upgrade the ASA FirePOWER Module
Upgrade a Standalone FMC

Upgrade a Standalone FMC

Use this procedure to upgrade a standalone Firepower Management Center, including Firepower Management
Center Virtual.

Caution Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart an
upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you
encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Check your place in the upgrade path, including hosting environment and managed device upgrades. Make
sure you have fully planned and prepared for this step.

Procedure

Step 1 Deploy to managed devices whose configurations are out of date.

On the FMC menu bar, click Deploy. Choose devices, then click Deploy again. If you do not deploy to an
out-of-date device now, its eventual upgrade may fail and you may have to reimage it.
When you deploy, resource demands may result in a small number of packets dropping without inspection.
Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending
on how your device handles traffic, may interrupt traffic until the restart completes. .

Step 2 Perform final preupgrade checks.

• Check health: Use the Message Center (click the System Status icon on the menu bar). Make sure the
appliances in your deployment are successfully communicating and that there are no issues reported by
the health monitor.
• Running tasks: Also in the Message Center, make sure essential tasks are complete. Tasks running when
the upgrade begins are stopped, become failed tasks, and cannot be resumed. You can manually delete
failed status messages later.
• Check disk space: Perform a final disk space check. Without enough free disk space, the upgrade fails.

Step 3 Choose System > Updates.

Step 4 Click the Install icon next to the upgrade package you want to use, then choose the FMC.
Step 5 Click Install to begin the upgrade.
Confirm that you want to upgrade and reboot the FMC.

Step 6 Monitor precheck progress in the Message Center until you are logged out.
Do not make configuration changes or deploy to any device while the FMC is upgrading. Even if the Message
Center shows no progress for several minutes or indicates that the upgrade has failed, do not restart the upgrade
or reboot the FMC. Instead, contact Cisco TAC.

Step 7 Log back into the FMC when you can.

• Minor upgrades (patches and hotfixes): You can log in after the upgrade completes and the FMC reboots.

Cisco ASA Upgrade Guide

92
 Upgrade the ASA FirePOWER Module
Upgrade High Availability FMCs

• Major upgrades: You can log in before the upgrade completes. The FMC displays a page you can use to
monitor the upgrade's progress and view the upgrade log and any error messages. You are logged out
again when the upgrade completes and the FMC reboots. After the reboot, log back in again.

Step 8 If prompted, review and accept the End User License Agreement (EULA).
Step 9 Verify upgrade success.
If the FMC does not notify you of the upgrade's success when you log in, choose Help > About to display
current software version information.

Step 10 Use the Message Center to recheck deployment health.

Step 11 Update intrusion rules (SRU) and the vulnerability database (VDB).
If the SRU or the VDB available on the Cisco Support & Downloads site is newer than the version currently
running, install the newer version. For more information, see the Firepower Management Center Configuration
Guide. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will
do that later.

Step 12 Complete any post-upgrade configuration changes described in the release notes.
Step 13 Redeploy configurations.
Redeploy to all managed devices. If you do not deploy to a device, its eventual upgrade may fail and you may
have to reimage it.

Upgrade High Availability FMCs

Use this procedure to upgrade the Firepower software on Firepower Management Centers in a high availability
pair.
You upgrade peers one at a time. With synchronization paused, first upgrade the standby, then the active.
When the standby FMC starts prechecks, its status switches from standby to active, so that both peers are
active. This temporary state is called split-brain and is not supported except during upgrade. Do not make or
deploy configuration changes while the pair is split-brain. Your changes will be lost after you upgrade the
FMCs and restart synchronization.

Caution Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart an
upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you
encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Check your place in the upgrade path, including managed device upgrades. Make sure you have fully planned
and prepared for this step.

Procedure

Step 1 On the active FMC, deploy to managed devices whose configurations are out of date.

Cisco ASA Upgrade Guide

93
 Upgrade the ASA FirePOWER Module
Upgrade an ASA FirePOWER Module Managed by FMC

On the FMC menu bar, click Deploy. Choose devices, then click Deploy again. If you do not deploy to an
out-of-date device now, its eventual upgrade may fail and you may have to reimage it.
When you deploy, resource demands may result in a small number of packets dropping without inspection.
Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending
on how your device handles traffic, may interrupt traffic until the restart completes. .

Step 2 Use the Message Center to check deployment health before you pause synchronization.
Click the System Status icon on the FMC menu bar to display the Message Center. Make sure the appliances
in your deployment are successfully communicating and that there are no issues reported by the health monitor.

Step 3 Pause synchronization.

a) Choose System > Integration.
b) On the High Availability tab, click Pause Synchronization.
Step 4 Upgrade the FMCs one at a time—first the standby, then the active.
Follow the instructions in Upgrade a Standalone FMC, on page 92, but omit the initial deploy, and stop after
you verify update success on each FMC. In summary, for each FMC:
a) Perform final preupgrade checks (health, running tasks, disk space).
b) On the System > Updates page, install the upgrade.
c) Monitor progress until you are logged out, then log back in when you can (this happens twice for major
upgrades).
d) Verify upgrade success.
Do not make or deploy configuration changes while the pair is split-brain.

Step 5 On the FMC you want to make the active peer, restart synchronization.
a) Choose System > Integration.
b) On the High Availability tab, click Make-Me-Active.
c) Wait until synchronization restarts and the other FMC switches to standby mode.
Step 6 Use the Message Center to recheck deployment health.
Step 7 Update intrusion rules (SRU) and the vulnerability database (VDB).
If the SRU or the VDB available on the Cisco Support & Downloads site is newer than the version currently
running, install the newer version. For more information, see the Firepower Management Center Configuration
Guide. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will
do that later.

Step 8 Complete any post-upgrade configuration changes described in the release notes.
Step 9 Redeploy configurations.
Redeploy to all managed devices. If you do not deploy to a device, its eventual upgrade may fail and you may
have to reimage it.

Upgrade an ASA FirePOWER Module Managed by FMC

Use this procedure to upgrade an ASA FirePOWER module managed by an FMC. When you upgrade the
module depends on whether you are upgrading ASA, and on your ASA deployment.

Cisco ASA Upgrade Guide

94
Upgrade the ASA FirePOWER Module
Upgrade an ASA FirePOWER Module Managed by FMC

• Upgrading standalone ASA devices: If you are also upgrading ASA, use the FMC to upgrade the ASA
FirePOWER module just after you upgrade ASA and reload.
• Upgrading ASA clusters and failover pairs: To avoid interruptions in traffic flow and inspection, fully
upgrade these devices one at a time. If you are also upgrading ASA, use the FMC to upgrade the ASA
FirePOWER module just before you reload each unit to upgrade ASA.

For more information, see ASA FirePOWER Upgrade Path: with FMC, on page 24 and the ASA upgrade
procedures.

Caution Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart an
upgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If you
encounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Before you begin

Check your place in the upgrade path, including ASA and FMC upgrades. Make sure you have fully planned
and prepared for this step.

Procedure

Step 1 Deploy configurations to the devices you are about to upgrade.

On the FMC menu bar, click Deploy. Choose devices, then click Deploy again. If you do not deploy to an
out-of-date device now, its eventual upgrade may fail and you may have to reimage it.
When you deploy, resource demands may result in a small number of packets dropping without inspection.
Additionally, deploying some configurations restarts Snort, which interrupts traffic inspection and, depending
on how your device handles traffic, may interrupt traffic until the restart completes. For more information,
see ASA FirePOWER Upgrade Behavior, on page 89.

Step 2 (Upgrading to Version 6.1+) Disable the ASA REST API.

If you do not disable the REST API, the upgrade will fail. Note that ASA 5506-X series devices do not support
the ASA REST API if you are also running Version 6.0+ of the ASA FirePOWER module.
Use the CLI on the ASA to disable the REST API:
no rest-api agent
You can reenable it after the upgrade:
rest-api agent

Step 3 Perform final preupgrade checks.

• Check health: Use the Message Center (click the System Status icon on the menu bar). Make sure the
appliances in your deployment are successfully communicating and that there are no issues reported by
the health monitor.
• Running tasks: Also in the Message Center, make sure essential tasks are complete. Tasks running when
the upgrade begins are stopped, become failed tasks, and cannot be resumed. You can manually delete
failed status messages later.

Cisco ASA Upgrade Guide

95
 Upgrade the ASA FirePOWER Module
Upgrade an ASA FirePOWER Module Managed by FMC

• Check disk space: Perform a final disk space check. Without enough free disk space, the upgrade fails.

Step 4 Choose System > Updates.

Step 5 Click the Install icon next to the upgrade package you want to use and choose the devices to upgrade.
If the devices you want to upgrade are not listed, you chose the wrong upgrade package.
Note We strongly recommend upgrading no more than five devices simultaneously. The FMC does not
allow you stop the upgrade until all selected devices complete the process. If there is an issue with
any one device upgrade, all devices must finish upgrading before you can resolve the issue.

Step 6 Click Install, then confirm that you want to upgrade and reboot the devices.
Traffic either drops throughout the upgrade or traverses the network without inspection depending on how
your devices are configured and deployed. For more information, see ASA FirePOWER Upgrade Behavior,
on page 89.

Step 7 Monitor upgrade progress in the Message Center.

Do not deploy configurations to the device while it is upgrading. Even if the Message Center shows no progress
for several minutes or indicates that the upgrade has failed, do not restart the upgrade or reboot the device.
Instead, contact Cisco TAC.

Step 8 Verify success.

After the upgrade completes, choose Devices > Device Management and confirm that the devices you
upgraded have the correct software version.

Step 9 Use the Message Center to recheck deployment health.

Step 10 Update intrusion rules (SRU) and the vulnerability database (VDB).
If the SRU or the VDB available on the Cisco Support & Downloads site is newer than the version currently
running, install the newer version. For more information, see the Firepower Management Center Configuration
Guide. Note that when you update intrusion rules, you do not need to automatically reapply policies. You will
do that later.

Step 11 Complete any post-upgrade configuration changes described in the release notes.
Step 12 Redeploy configurations to the devices you just upgraded.

Cisco ASA Upgrade Guide

96
 CHAPTER 4
Upgrade the Firepower 4100/9300 Chassis
Configured with ASA Logical Devices
Use the procedures in this section to upgrade the FXOS platform bundle on Firepower 4100/9300 Series
security appliances and the ASA software on any logical devices installed on those appliances.
• Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster, on page 97
• Upgrade FXOS and an ASA Active/Standby Failover Pair, on page 102
• Upgrade FXOS and an ASA Active/Active Failover Pair, on page 112
• Upgrade FXOS and an ASA Inter-chassis Cluster, on page 124
• Monitor the Upgrade Progress, on page 131
• Verify the Installation, on page 132

Upgrade FXOS and an ASA Standalone Device or Intra-Chassis

Cluster
Use the FXOS CLI or Firepower Chassis Manager to upgrade FXOS and a standalone ASA device or an ASA
intra-chassis cluster on a Firepower 9300.

Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using

Firepower Chassis Manager
The upgrade process can take up to 45 minutes. Traffic will not traverse through the device while it is upgrading.
Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:
• Download the FXOS and ASA software packages to which you are upgrading (see Download the Software
from Cisco.com, on page 28).
• Back up your FXOS and ASA configurations.

Cisco ASA Upgrade Guide

97
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using the FXOS CLI

Procedure

Step 1 In Firepower Chassis Manager, choose System > Updates.

The Available Updates area shows a list of the packages available on the chassis.
Step 2 Upload the new FXOS platform bundle image and ASA software image::
Note If you are upgrading to a version earlier than FXOS 2.3.1, do not upload the ASA CSP image to
your security appliance until after you upgrade the FXOS platform bundle software.

a) Click Upload Image.

b) Click Choose File to navigate to and select the image that you want to upload.
c) Click Upload.
The selected image is uploaded to the chassis.
Step 3 After the new FXOS platform bundle image has successfully uploaded, click the Upgrade icon for the FXOS
platform bundle to which you want to upgrade.
The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted
as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can
ignore these warnings.

Step 4 Click Yes to confirm that you want to proceed with installation.
FXOS unpacks the bundle and upgrades/reloads the components.

Step 5 Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using
the FXOS CLI (see Monitor the Upgrade Progress, on page 131).
Step 6 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 7 Choose Logical Devices.
The Logical Devices page opens to show a list of configured logical devices on the chassis.
Step 8 For each ASA logical device that you want to upgrade:
a) Click the Set Version icon for the logical device that you want to update to open the Update Image
Version dialog box.
b) For the New Version, choose the software version to which you want to upgrade.
c) Click OK.
Step 9 After the upgrade process finishes, verify that the applications are online and have upgraded successfully:
a) Choose Logical Devices.
b) Verify the application version and operational status.

Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using

the FXOS CLI
The upgrade process can take up to 45 minutes. Traffic will not traverse through the device while it is upgrading.
Please plan your upgrade activity accordingly.

Cisco ASA Upgrade Guide

98
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using the FXOS CLI

Before you begin

Before beginning your upgrade, make sure that you have already done the following:
• Download the FXOS and ASA software packages to which you are upgrading (see Download the Software
from Cisco.com, on page 28).
• Back up your FXOS and ASA configurations.
• Collect the following information that you will need to download software images to the chassis:
• IP address and authentication credentials for the server from which you are copying the images.
• Fully qualified names of the image files.

Procedure

Step 1 Connect to the FXOS CLI.

Step 2 Download the new FXOS platform bundle image to the chassis:
a) Enter firmware mode:
scope firmware
b) Download the FXOS platform bundle software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path/image_name
• scp://username@server/path/image_name
• sftp://username@server/path/image_name
• tftp://server:port-num/path/image_name

c) To monitor the download process:

scope download-task image_name
show detail

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image
scp://[email protected]/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
File Name: fxos-k9.2.3.1.58.SPA
Protocol: scp
Server: 192.168.1.1
Userid:
Path:
Downloaded Image Size (KB): 853688

Cisco ASA Upgrade Guide

99
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using the FXOS CLI

State: Downloading
Current Task: downloading image fxos-k9.2.3.1.58.SPA from
192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 3 After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:
a) If necessary, return to firmware mode:
up
b) Make note of the version number for the FXOS platform bundle you are installing:
show package
c) Enter auto-install mode:
scope auto-install
d) Install the FXOS platform bundle:
install platform platform-vers version_number
version_number is the version number of the FXOS platform bundle you are installing--for example,
2.3(1.58).
e) The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
Enter yes to confirm that you want to proceed with verification.
f) Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.
FXOS unpacks the bundle and upgrades/reloads the components.
g) To monitor the upgrade process, see Monitor the Upgrade Progress, on page 131.
Step 4 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 5 Download the new ASA software image to the chassis:
a) Enter Security Services mode:
top
scope ssa
b) Enter Application Software mode:
scope app-software
c) Download the logical device software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path
• scp://username@server/path

Cisco ASA Upgrade Guide

100
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using the FXOS CLI

• sftp://username@server/path
• tftp://server:port-num/path

d) To monitor the download process:

show download-task
e) To view the downloaded applications:
up

show app

Make note of the ASA version for the software package you downloaded. You will need to use the exact
version string to enable the application in a later step.

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image
scp://[email protected]/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:

File Name Protocol Server Userid State
------------------------------ ---------- -------------------- --------------- -----
cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
Name Version Description Author Deploy Type CSP Type Is Default App
---------- ---------- ----------- ---------- ----------- ----------- --------------
asa 9.4.1.41 N/A Native Application No
asa 9.4.1.65 N/A Native Application Yes

Step 6 For each ASA logical device that you want to upgrade:
a) Enter Security Services mode:
top
scope ssa
b) Set the scope to the security module you are updating:
scope slotslot_number
c) Set the scope to the ASA application:
For FXOS 2.3.1 and earlier: scope app-instance asa
For FXOS 2.4.1 and later: scope app-instance asa instance_name
d) Set the Startup version to the new ASA software version:
set startup-version version_number

Cisco ASA Upgrade Guide

101
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair

Step 7 Commit the configuration:

commit-buffer
Commits the transaction to the system configuration. The application image is updated and the application
restarts.

Step 8 To verify the status of the security modules/security engine and any installed applications, see Verify the
Installation, on page 132.

Upgrade FXOS and an ASA Active/Standby Failover Pair

Use the FXOS CLI or Firepower Chassis Manager to upgrade FXOS and an ASA Active/Standby failover
pair.

Upgrade FXOS and an ASA Active/Standby Failover Pair Using Firepower

Chassis Manager
The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:
• You need to determine which unit is active and which is standby: connect ASDM to the active ASA IP
address. The active unit always owns the active IP address. Then choose Monitoring > Properties >
Failover > Status to view this unit's priority (primary or secondary) so you know which unit you are
connected to.
• Download the FXOS and ASA software packages to which you are upgrading (see Download the Software
from Cisco.com, on page 28).
• Back up your FXOS and ASA configurations.

Procedure

Step 1 On the Firepower security appliance that contains the standby ASA logical device, upload the new FXOS
platform bundle image and ASA software image:
Note If you are upgrading to a version earlier than FXOS 2.3.1, do not upload the ASA CSP image to
your security appliance until after you upgrade the FXOS platform bundle software.

a) In Firepower Chassis Manager, choose System > Updates.

The Available Updates area shows a list of the packages available on the chassis.
b) Click Upload Image.
c) Click Choose File to navigate to and select the image that you want to upload.
d) Click Upload.
The selected image is uploaded to the chassis.

Cisco ASA Upgrade Guide

102
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using Firepower Chassis Manager

Step 2 After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the
Firepower security appliance that contains the standby ASA logical device:
a) Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.
The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
b) Click Yes to confirm that you want to proceed with installation.
FXOS unpacks the bundle and upgrades/reloads the components.

Step 3 Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using
the FXOS CLI (see Monitor the Upgrade Progress, on page 131).
Step 4 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 5 Upgrade the ASA logical device image:
a) Choose Logical Devices to open the Logical Devices page.
The Logical Devices page opens to show a list of configured logical devices on the chassis.
b) Click the Set Version icon for the logical device that you want to update to open the Update Image
Version dialog box.
c) For the New Version, choose the software version to which you want to update.
d) Click OK.
Step 6 After the upgrade process finishes, verify that the applications are online and have upgraded successfully:
a) Choose Logical Devices.
b) Verify the application version and operational status.
Step 7 Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:
a) Launch ASDM on the standby unit by connecting to the standby ASA IP address.
b) Force the standby unit to become active by choosing Monitoring > Properties > Failover > Status,
and clicking Make Active.
Step 8 On the Firepower security appliance that contains the new standby ASA logical device, upload the new FXOS
platform bundle image and ASA software image:
Note If you are upgrading to a version earlier than FXOS 2.3.1, do not upload the ASA CSP image to
your security appliance until after you upgrade the FXOS platform bundle software.

a) In Firepower Chassis Manager, choose System > Updates.

The Available Updates area shows a list of the packages available on the chassis.
b) Click Upload Image.
c) Click Choose File to navigate to and select the image that you want to upload.
d) Click Upload.
The selected image is uploaded to the chassis.
Step 9 After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the
Firepower security appliance that contains the new standby ASA logical device:
a) Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.

Cisco ASA Upgrade Guide

103
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
b) Click Yes to confirm that you want to proceed with installation.
FXOS unpacks the bundle and upgrades/reloads the components.

Step 10 Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using
the FXOS CLI (see Monitor the Upgrade Progress, on page 131).
Step 11 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 12 Upgrade the ASA logical device image:
a) Choose Logical Devices.
The Logical Devices page opens to shows a list of configured logical devices on the chassis. If no logical
devices have been configured, a message stating so is shown instead.
b) Click the Set Version icon for the logical device that you want to update to open the Update Image
Version dialog box.
c) For the New Version, choose the software version to which you want to update.
d) Click OK.
Step 13 After the upgrade process finishes, verify that the applications are online and have upgraded successfully:
a) Choose Logical Devices.
b) Verify the application version and operational status.
Step 14 (Optional) Make the unit that you just upgraded the active unit as it was before the upgrade:
a) Launch ASDM on the standby unit by connecting to the standby ASA IP address.
b) Force the standby unit to become active by choosing Monitoring > Properties > Failover > Status,
and clicking Make Active.

Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI
The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:
• You need to determine which unit is active and which is standby: connect to the ASA console on the
Firepower security appliance and enter the show failover command to view the Active/Standby status
of the unit.
• Download the FXOS and ASA software packages to which you are upgrading (see Download the Software
from Cisco.com, on page 28).
• Back up your FXOS and ASA configurations.
• Collect the following information that you will need to download software images to the chassis:

Cisco ASA Upgrade Guide

104
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

• IP address and authentication credentials for the server from which you are copying the image.
• Fully qualified name of the image file.

Procedure

Step 1 On the Firepower security appliance that contains the standby ASA logical device, download the new FXOS
platform bundle image:
a) Connect to the FXOS CLI.
b) Enter firmware mode:
scope firmware
c) Download the FXOS platform bundle software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path/image_name
• scp://username@server/path/image_name
• sftp://username@server/path/image_name
• tftp://server:port-num/path/image_name

d) To monitor the download process:

scope download-task image_name
show detail

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image
scp://[email protected]/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
File Name: fxos-k9.2.3.1.58.SPA
Protocol: scp
Server: 192.168.1.1
Userid:
Path:
Downloaded Image Size (KB): 853688
State: Downloading
Current Task: downloading image fxos-k9.2.3.1.58.SPA from
192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 2 After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:
a) If necessary, return to firmware mode:
up

Cisco ASA Upgrade Guide

105
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

b) Make note of the version number for the FXOS platform bundle you are installing:
show package
c) Enter auto-install mode:
scope auto-install
d) Install the FXOS platform bundle:
install platform platform-vers version_number
version_number is the version number of the FXOS platform bundle you are installing--for example,
2.3(1.58).
e) The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
Enter yes to confirm that you want to proceed with verification.
f) Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.
FXOS unpacks the bundle and upgrades/reloads the components.
g) To monitor the upgrade process, see Monitor the Upgrade Progress, on page 131.
Step 3 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 4 Download the new ASA software image to the chassis:
a) Enter Security Services mode:
top
scope ssa
b) Enter Application Software mode:
scope app-software
c) Download the logical device software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path
• scp://username@server/path
• sftp://username@server/path
• tftp://server:port-num/path

d) To monitor the download process:

show download-task
e) To view the downloaded applications:

Cisco ASA Upgrade Guide

106
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

up

show app

Make note of the ASA version for the software package you downloaded. You will need to use the exact
version string to enable the application in a later step.

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image
scp://[email protected]/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:

File Name Protocol Server Userid State
------------------------------ ---------- -------------------- --------------- -----
cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
Name Version Description Author Deploy Type CSP Type Is Default App
---------- ---------- ----------- ---------- ----------- ----------- --------------
asa 9.4.1.41 N/A Native Application No
asa 9.4.1.65 N/A Native Application Yes

Step 5 Upgrade the ASA logical device image:

a) Enter Security Services mode:
top
scope ssa
b) Set the scope to the security module you are updating:
scope slotslot_number
c) Set the scope to the ASA application:
For FXOS 2.3.1 and earlier: scope app-instance asa
For FXOS 2.4.1 and later: scope app-instance asa instance_name
d) Set the Startup version to the version you want to update:
set startup-version version_number
e) Commit the configuration:
commit-buffer
Commits the transaction to the system configuration. The application image is updated and the application
restarts.

Step 6 To verify the status of the security modules/security engine and any installed applications, see Verify the
Installation, on page 132.

Cisco ASA Upgrade Guide

107
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

Step 7 Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit:
a) On the Firepower security appliance that contains the standby ASA logical device, connect to the module
CLI using a console connection or a Telnet connection.
connect module slot_number {console | telnet}
To connect to the security engine of a device that does not support multiple security modules, always use
1 as the slot_number.
Example:

Firepower# connect module 1 console

Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit

Firepower-module1>

b) Connect to the application console.

connect asa
Example:

Firepower-module1> connect asa

Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI
[...]
asa>

c) Make this unit active:

failover active
d) Save the configuration:
write memory
e) Verify that the unit is active:
show failover

Step 8 Exit the application console to the FXOS module CLI.

Enter Ctrl-a, d

Step 9 Return to the supervisor level of the FXOS CLI.

Exit the console:
a) Enter ~
You exit to the Telnet application.
b) To exit the Telnet application, enter:
telnet>quit

Cisco ASA Upgrade Guide

108
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

Exit the Telnet session:

a) Enter Ctrl-], .
Step 10 On the Firepower security appliance that contains the new standby ASA logical device, download the new
FXOS platform bundle image:
a) Connect to the FXOS CLI.
b) Enter firmware mode:
scope firmware
c) Download the FXOS platform bundle software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path/image_name
• scp://username@server/path/image_name
• sftp://username@server/path/image_name
• tftp://server:port-num/path/image_name

d) To monitor the download process:

scope download-task image_name
show detail

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image
scp://[email protected]/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
File Name: fxos-k9.2.3.1.58.SPA
Protocol: scp
Server: 192.168.1.1
Userid:
Path:
Downloaded Image Size (KB): 853688
State: Downloading
Current Task: downloading image fxos-k9.2.3.1.58.SPA from
192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 11 After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:
a) If necessary, return to firmware mode:
up
b) Make note of the version number for the FXOS platform bundle you are installing:
show package
c) Enter auto-install mode:

Cisco ASA Upgrade Guide

109
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

scope auto-install
d) Install the FXOS platform bundle:
install platform platform-vers version_number
version_number is the version number of the FXOS platform bundle you are installing--for example,
2.3(1.58).
e) The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
Enter yes to confirm that you want to proceed with verification.
f) Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.
FXOS unpacks the bundle and upgrades/reloads the components.
g) To monitor the upgrade process, see Monitor the Upgrade Progress, on page 131.
Step 12 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 13 Download the new ASA software image to the chassis:
a) Enter Security Services mode:
top
scope ssa
b) Enter Application Software mode:
scope app-software
c) Download the logical device software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path
• scp://username@server/path
• sftp://username@server/path
• tftp://server:port-num/path

d) To monitor the download process:

show download-task
e) To view the downloaded applications:
up

show app

Cisco ASA Upgrade Guide

110
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

Make note of the ASA version for the software package you downloaded. You will need to use the exact
version string to enable the application in a later step.

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image
scp://[email protected]/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:

File Name Protocol Server Userid State
------------------------------ ---------- -------------------- --------------- -----
cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
Name Version Description Author Deploy Type CSP Type Is Default App
---------- ---------- ----------- ---------- ----------- ----------- --------------
asa 9.4.1.41 N/A Native Application No
asa 9.4.1.65 N/A Native Application Yes

Step 14 Upgrade the ASA logical device image:

a) Enter Security Services mode:
top
scope ssa
b) Set the scope to the security module you are updating:
scope slotslot_number
c) Set the scope to the ASA application:
For FXOS 2.3.1 and earlier: scope app-instance asa
For FXOS 2.4.1 and later: scope app-instance asa instance_name
d) Set the Startup version to the version you want to update:
set startup-version version_number
e) Commit the configuration:
commit-buffer
Commits the transaction to the system configuration. The application image is updated and the application
restarts.

Step 15 To verify the status of the security modules/security engine and any installed applications, see Verify the
Installation, on page 132.
Step 16 (Optional) Make the unit that you just upgraded the active unit as it was before the upgrade:

Cisco ASA Upgrade Guide

111
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair

a) On the Firepower security appliance that contains the standby ASA logical device, connect to the module
CLI using a console connection or a Telnet connection.
connect module slot_number {console | telnet}
To connect to the security engine of a device that does not support multiple security modules, always use
1 as the slot_number.
Example:

Firepower# connect module 1 console

Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit

Firepower-module1>

b) Connect to the application console.

connect asa
Example:

Firepower-module1> connect asa

Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI
[...]
asa>

c) Make this unit active:

failover active
d) Save the configuration:
write memory
e) Verify that the unit is active:
show failover

Upgrade FXOS and an ASA Active/Active Failover Pair

Use the FXOS CLI or Firepower Chassis Manager to upgrade FXOS and an ASA Active/Active failover pair.

UpgradeFXOSandanASAActive/ActiveFailoverPairUsingFirepowerChassis
Manager
The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Cisco ASA Upgrade Guide

112
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using Firepower Chassis Manager

Before you begin

Before beginning your upgrade, make sure that you have already done the following:
• You need to determine which unit is the primary unit: connect ASDM and then choose Monitoring >
Properties > Failover > Status to view this unit's priority (primary or secondary) so you know which
unit you are connected to.
• Download the FXOS and ASA software packages to which you are upgrading (see Download the Software
from Cisco.com, on page 28).
• Back up your FXOS and ASA configurations.

Procedure

Step 1 Make both failover groups active on the primary unit.

a) Launch ASDM on the primary unit (or the unit with failover group 1 active) by connecting to the
management address in failover group 1.
b) Choose Monitoring > Failover > Failover Group 2, and click Make Active.
c) Stay connected to ASDM on this unit for later steps.
Step 2 On the Firepower security appliance that contains the secondary ASA logical device, upload the new FXOS
platform bundle image and ASA software image:
Note If you are upgrading to a version earlier than FXOS 2.3.1, do not upload the ASA CSP image to
your security appliance until after you upgrade the FXOS platform bundle software.

a) Connect to the Firepower Chassis Manager on the secondary unit.

b) Choose System > Updates.
The Available Updates area shows a list of the packages available on the chassis.
c) Click Upload Image.
d) Click Choose File to navigate to and select the image that you want to upload.
e) Click Upload.
The selected image is uploaded to the chassis.
Step 3 After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the
Firepower security appliance that contains the secondary ASA logical device:
a) Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.
The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
b) Click Yes to confirm that you want to proceed with installation.
FXOS unpacks the bundle and upgrades/reloads the components.

Step 4 Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using
the FXOS CLI (see Monitor the Upgrade Progress, on page 131).
Step 5 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).

Cisco ASA Upgrade Guide

113
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using Firepower Chassis Manager

Step 6 Upgrade the ASA logical device image:

a) Choose Logical Devices.
The Logical Devices page opens to show a list of configured logical devices on the chassis.
b) Click the Set Version icon for the logical device that you want to update to open the Update Image
Version dialog box.
c) For the New Version, choose the software version to which you want to update.
d) Click OK.
Step 7 After the upgrade process finishes, verify that the applications are online and have upgraded successfully:
a) Choose Logical Devices.
b) Verify the application version and operational status.
Step 8 Make both failover groups active on the secondary unit.
a) Launch ASDM on the primary unit (or the unit with failover group 1 active) by connecting to the
management address in failover group 1.
b) Choose Monitoring > Failover > Failover Group 1, and click Make Standby.
c) Choose Monitoring > Failover > Failover Group 2, and click Make Standby.
ASDM will automatically reconnect to the failover group 1 IP address on the secondary unit.

Step 9 On the Firepower security appliance that contains the primary ASA logical device, upload the new FXOS
platform bundle image and ASA software image:
Note If you are upgrading to a version earlier than FXOS 2.3.1, do not upload the ASA CSP image to
your security appliance until after you upgrade the FXOS platform bundle software.

a) Connect to the Firepower Chassis Manager on the primary unit.

b) Choose System > Updates.
The Available Updates area shows a list of the packages available on the chassis.
c) Click Upload Image to open the Upload Image dialog box.
d) Click Choose File to navigate to and select the image that you want to upload.
e) Click Upload.
The selected package is uploaded to the chassis.
f) For certain software images you will be presented with an end-user license agreement after uploading the
image. Follow the system prompts to accept the end-user license agreement.
Step 10 After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the
Firepower security appliance that contains the primary ASA logical device:
a) Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.
The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
b) Click Yes to confirm that you want to proceed with installation.
FXOS unpacks the bundle and upgrades/reloads the components.

Step 11 Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using
the FXOS CLI (see Monitor the Upgrade Progress, on page 131).

Cisco ASA Upgrade Guide

114
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

Step 12 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 13 Upgrade the ASA logical device image:
a) Choose Logical Devices.
The Logical Devices page opens to show a list of configured logical devices on the chassis.
b) Click the Set Version icon for the logical device that you want to update to open the Update Image
Version dialog box.
c) For the New Version, choose the software version to which you want to update.
d) Click OK.
Step 14 After the upgrade process finishes, verify that the applications are online and have upgraded successfully:
a) Choose Logical Devices.
b) Verify the application version and operational status.
Step 15 If the failover groups are configured with Preempt Enabled, they automatically become active on their
designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt
Enabled, you can return them to active status on their designated units using the ASDM Monitoring > Failover
> Failover Group # pane.

Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI
The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:
• You need to determine which unit is primary: connect to the ASA console on the Firepower security
appliance and enter the show failover command to view the unit's status and priority (primary or
secondary).
• Download the FXOS and ASA software packages to which you are upgrading (see Download the Software
from Cisco.com, on page 28).
• Back up your FXOS and ASA configurations.
• Collect the following information that you will need to download software images to the chassis:
• IP address and authentication credentials for the server from which you are copying the image.
• Fully qualified name of the image file.

Procedure

Step 1 Connect to the FXOS CLI on the secondary unit, either the console port (preferred) or using SSH.
Step 2 Make both failover groups active on the primary unit.
a) Connect to the module CLI using a console connection or a Telnet connection.
connect module slot_number {console | telnet}

Cisco ASA Upgrade Guide

115
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

To connect to the security engine of a device that does not support multiple security modules, always use
1 as the slot_number.
Example:

Firepower# connect module 1 console

Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit

Firepower-module1>

b) Connect to the application console.

connect asa
Example:

Firepower-module1> connect asa

Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI
[...]
asa>

c) Make both failover groups active on the primary unit.

enable
The enable password is blank by default.
no failover active group 1
no failover active group 2
Example:
asa> enable
Password: <blank>
asa# no failover active group 1
asa# no failover active group 2

Step 3 Exit the application console to the FXOS module CLI.

Enter Ctrl-a, d

Step 4 Return to the supervisor level of the FXOS CLI.

Exit the console:
a) Enter ~
You exit to the Telnet application.
b) To exit the Telnet application, enter:
telnet>quit

Exit the Telnet session:

Cisco ASA Upgrade Guide

116
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

a) Enter Ctrl-], .
Step 5 On the Firepower security appliance that contains the secondary ASA logical device, download the new FXOS
platform bundle image and ASA software image:
a) Connect to the FXOS CLI.
b) Enter firmware mode:
scope firmware
c) Download the FXOS platform bundle software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path/image_name
• scp://username@server/path/image_name
• sftp://username@server/path/image_name
• tftp://server:port-num/path/image_name

d) To monitor the download process:

scope download-task image_name
show detail

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image
scp://[email protected]/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
File Name: fxos-k9.2.3.1.58.SPA
Protocol: scp
Server: 192.168.1.1
Userid:
Path:
Downloaded Image Size (KB): 853688
State: Downloading
Current Task: downloading image fxos-k9.2.3.1.58.SPA from
192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 6 After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:
a) If necessary, return to firmware mode:
top
scope firmware
b) Make note of the version number for the FXOS platform bundle you are installing:
show package
c) Enter auto-install mode:

Cisco ASA Upgrade Guide

117
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

scope auto-install
d) Install the FXOS platform bundle:
install platform platform-vers version_number
version_number is the version number of the FXOS platform bundle you are installing--for example,
2.3(1.58).
e) The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
Enter yes to confirm that you want to proceed with verification.
f) Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.
FXOS unpacks the bundle and upgrades/reloads the components.
g) To monitor the upgrade process, see Monitor the Upgrade Progress, on page 131.
Step 7 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 8 Download the new ASA software image to the chassis:
a) Enter Security Services mode:
top
scope ssa
b) Enter Application Software mode:
scope app-software
c) Download the logical device software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path
• scp://username@server/path
• sftp://username@server/path
• tftp://server:port-num/path

d) To monitor the download process:

show download-task
e) To view the downloaded applications:
up

show app

Cisco ASA Upgrade Guide

118
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

Make note of the ASA version for the software package you downloaded. You will need to use the exact
version string to enable the application in a later step.

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image
scp://[email protected]/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:

File Name Protocol Server Userid State
------------------------------ ---------- -------------------- --------------- -----
cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
Name Version Description Author Deploy Type CSP Type Is Default App
---------- ---------- ----------- ---------- ----------- ----------- --------------
asa 9.4.1.41 N/A Native Application No
asa 9.4.1.65 N/A Native Application Yes

Step 9 Upgrade the ASA logical device image:

a) Enter Security Services mode:
top
scope ssa
b) Set the scope to the security module you are updating:
scope slotslot_number
c) Set the scope to the ASA application:
For FXOS 2.3.1 and earlier: scope app-instance asa
For FXOS 2.4.1 and later: scope app-instance asa instance_name
d) Set the Startup version to the version you want to update:
set startup-version version_number
e) Commit the configuration:
commit-buffer
Commits the transaction to the system configuration. The application image is updated and the application
restarts.

Step 10 To verify the status of the security modules/security engine and any installed applications, see Verify the
Installation, on page 132.
Step 11 Make both failover groups active on the secondary unit.
a) Connect to the module CLI using a console connection or a Telnet connection.

Cisco ASA Upgrade Guide

119
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

connect module slot_number {console | telnet}

To connect to the security engine of a device that does not support multiple security modules, always use
1 as the slot_number.
Example:

Firepower# connect module 1 console

Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit

Firepower-module1>

b) Connect to the application console.

connect asa
Example:

Firepower-module1> connect asa

Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI
[...]
asa>

c) Make both failover groups active on the secondary unit.

enable
The enable password is blank by default.
failover active group 1
failover active group 2
Example:
asa> enable
Password: <blank>
asa# failover active group 1
asa# failover active group 2

Step 12 Exit the application console to the FXOS module CLI.

Enter Ctrl-a, d

Step 13 Return to the supervisor level of the FXOS CLI.

Exit the console:
a) Enter ~
You exit to the Telnet application.
b) To exit the Telnet application, enter:
telnet>quit

Cisco ASA Upgrade Guide

120
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

Exit the Telnet session:

a) Enter Ctrl-], .
Step 14 On the Firepower security appliance that contains the primary ASA logical device, download the new FXOS
platform bundle image and ASA software image:
a) Connect to the FXOS CLI.
b) Enter firmware mode:
scope firmware
c) Download the FXOS platform bundle software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path/image_name
• scp://username@server/path/image_name
• sftp://username@server/path/image_name
• tftp://server:port-num/path/image_name

d) To monitor the download process:

scope download-task image_name
show detail

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image
scp://[email protected]/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
File Name: fxos-k9.2.3.1.58.SPA
Protocol: scp
Server: 192.168.1.1
Userid:
Path:
Downloaded Image Size (KB): 853688
State: Downloading
Current Task: downloading image fxos-k9.2.3.1.58.SPA from
192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 15 After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle:
a) If necessary, return to firmware mode:
up
b) Make note of the version number for the FXOS platform bundle you are installing:
show package
c) Enter auto-install mode:

Cisco ASA Upgrade Guide

121
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

scope auto-install
d) Install the FXOS platform bundle:
install platform platform-vers version_number
version_number is the version number of the FXOS platform bundle you are installing--for example,
2.3(1.58).
e) The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
Enter yes to confirm that you want to proceed with verification.
f) Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.
FXOS unpacks the bundle and upgrades/reloads the components.
g) To monitor the upgrade process, see Monitor the Upgrade Progress, on page 131.
Step 16 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 17 Download the new ASA software image to the chassis:
a) Enter Security Services mode:
top
scope ssa
b) Enter Application Software mode:
scope app-software
c) Download the logical device software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path
• scp://username@server/path
• sftp://username@server/path
• tftp://server:port-num/path

d) To monitor the download process:

show download-task
e) To view the downloaded applications:
up

show app

Cisco ASA Upgrade Guide

122
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

Make note of the ASA version for the software package you downloaded. You will need to use the exact
version string to enable the application in a later step.

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image
scp://[email protected]/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:

File Name Protocol Server Userid State
------------------------------ ---------- -------------------- --------------- -----
cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Application:
Name Version Description Author Deploy Type CSP Type Is Default App
---------- ---------- ----------- ---------- ----------- ----------- --------------
asa 9.4.1.41 N/A Native Application No
asa 9.4.1.65 N/A Native Application Yes

Step 18 Upgrade the ASA logical device image:

a) Enter Security Services mode:
top
scope ssa
b) Set the scope to the security module you are updating:
scope slotslot_number
c) Set the scope to the ASA application:
For FXOS 2.3.1 and earlier: scope app-instance asa
For FXOS 2.4.1 and later: scope app-instance asa instance_name
d) Set the Startup version to the version you want to update:
set startup-version version_number
e) Commit the configuration:
commit-buffer
Commits the transaction to the system configuration. The application image is updated and the application
restarts.

Step 19 To verify the status of the security modules/security engine and any installed applications, see Verify the
Installation, on page 132.
Step 20 If the failover groups are configured with Preempt Enabled, they automatically become active on their
designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt

Cisco ASA Upgrade Guide

123
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Inter-chassis Cluster

Enabled, you can return them to active status on their designated units using the ASDM Monitoring > Failover
> Failover Group # pane.

Upgrade FXOS and an ASA Inter-chassis Cluster

Use the FXOS CLI or Firepower Chassis Manager to upgrade FXOS and ASA on all chassis in an inter-chassis
cluster.

Upgrade FXOS and an ASA Inter-chassis Cluster Using Firepower Chassis

Manager
The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:
• Download the FXOS and ASA software packages to which you are upgrading (see Download the Software
from Cisco.com, on page 28).
• Back up your FXOS and ASA configurations.

Procedure

Step 1 Determine which chassis has the Master unit. You will upgrade this chassis last:
a) Connect to Firepower Chassis Manager.
b) Choose Logical Devices.
c) Click the plus sign (+) to see the attributes for the security modules included in the cluster.
d) Verify that the Primary unit is on this chassis. There should be an ASA instance with CLUSTER-ROLE
set to master.
Step 2 Connect to Firepower Chassis Manager on a chassis in the cluster that does not have the Master unit.
Step 3 Upload the new FXOS platform bundle image and ASA software image:
Note If you are upgrading to a version earlier than FXOS 2.3.1, do not upload the ASA CSP image to
your security appliance until after you upgrade the FXOS platform bundle software.

a) In Firepower Chassis Manager, choose System > Updates.

The Available Updates area shows a list of the packages available on the chassis.
b) Click Upload Image.
c) Click Choose File to navigate to and select the image that you want to upload.
d) Click Upload.
The selected image is uploaded to the chassis.
e) Wait for the images to successfully upload before continuing.
Step 4 Disable clustering for all security modules on the chassis:

Cisco ASA Upgrade Guide

124
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Inter-chassis Cluster Using Firepower Chassis Manager

a) Choose Logical Devices.

b) Click the Disable switch for each security module included in the cluster.
The Cluster Operational Status changes to not-in-cluster.
Step 5 Upgrade the FXOS bundle:
a) Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade.
The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
b) Click Yes to confirm that you want to proceed with installation.
FXOS unpacks the bundle and upgrades/reloads the components.

Step 6 Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using
the FXOS CLI (see Monitor the Upgrade Progress, on page 131).
Step 7 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 8 Upgrade the ASA logical device image on each security module:
a) Choose Logical Devices.
The Logical Devices page opens to show a list of configured logical devices on the chassis.
b) Click the Set Version icon for the logical device that you want to update to open the Update Image
Version dialog box.
c) For the New Version, choose the software version to which you want to update.
d) Click OK.
Step 9 After the upgrade process finishes, verify that the applications are online and have upgraded successfully:
a) Choose Logical Devices.
b) Verify the application version and operational status.
Step 10 Re-enable clustering for all security modules on the chassis:
a) Choose Logical Devices.
b) Click the Enable switch for each security module included in the cluster.
The Cluster Operational Status changes to in-cluster.
Step 11 Repeat steps 2-10 for all remaining chassis in the cluster that do not have the Master unit.
Step 12 After all chassis in the cluster that do not have the Master unit have been upgraded, repeat steps 2-10 on the
chassis with the Master unit, being sure to disable clustering on the slave units first, and then finally the master
unit.
A new master unit will be chosen from one of the previously upgraded chassis.
Step 13 After the cluster has stabilized, redistribute active sessions among all modules in the cluster using the ASA
console on the master unit.
cluster redistribute vpn-sessiondb

Cisco ASA Upgrade Guide

125
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Inter-chassis Cluster Using the FXOS CLI

Upgrade FXOS and an ASA Inter-chassis Cluster Using the FXOS CLI
The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:
• Download the FXOS and ASA software packages to which you are upgrading (see Download the Software
from Cisco.com, on page 28).
• Back up your FXOS and ASA configurations.
• Collect the following information that you will need to download software images to the chassis:
• IP address and authentication credentials for the server from which you are copying the image.
• Fully qualified name of the image file.

Procedure

Step 1 Determine which chassis has the Master unit. You will upgrade this chassis last:
a) Connect to the FXOS CLI.
b) Verify that the Primary unit is on this chassis. There should be an ASA instance with Cluster Role set to
“Master”:
scope ssa
show app-instance

Step 2 Connect to the FXOS CLI on a chassis in the cluster that does not have the Master unit.
Step 3 Download the new FXOS platform bundle image to the chassis:
a) Enter firmware mode:
scope firmware
b) Download the FXOS platform bundle software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path/image_name
• scp://username@server/path/image_name
• sftp://username@server/path/image_name
• tftp://server:port-num/path/image_name

c) To monitor the download process:

scope download-task image_name
show detail

Cisco ASA Upgrade Guide

126
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Inter-chassis Cluster Using the FXOS CLI

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope firmware
Firepower-chassis /firmware # download image
scp://[email protected]/images/fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA
Firepower-chassis /firmware/download-task # show detail
Download task:
File Name: fxos-k9.2.3.1.58.SPA
Protocol: scp
Server: 192.168.1.1
Userid:
Path:
Downloaded Image Size (KB): 853688
State: Downloading
Current Task: downloading image fxos-k9.2.3.1.58.SPA from
192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

Step 4 After the new FXOS platform bundle image has successfully downloaded, disable clustering for all security
modules on the chassis:
a) Connect to the module CLI using a console connection or a Telnet connection.
connect module slot_number {console | telnet}
To connect to the security engine of a device that does not support multiple security modules, always use
1 as the slot_number.
Example:

Firepower# connect module 1 console

Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit

Firepower-module1>

b) Connect to the application console.

connect asa
Example:

Firepower-module1> connect asa

Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI
[...]
asa>

c) Disable clustering on one of the security modules:

cluster group name
no enable

Cisco ASA Upgrade Guide

127
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Inter-chassis Cluster Using the FXOS CLI

If you are upgrading FXOS on the chassis as well as ASA, save the configuration so clustering will be
disabled after the chassis reboots:
write memory
d) Wait for the cluster to stabilize; verify all backup sessions have been created.
show cluster vpn-sessiondb summary
e) Repeat step 4 for each security module on this chassis.
Step 5 Exit the application console to the FXOS module CLI.
Enter Ctrl-a, d

Step 6 Return to the supervisor level of the FXOS CLI.

Exit the console:
a) Enter ~
You exit to the Telnet application.
b) To exit the Telnet application, enter:
telnet>quit

Exit the Telnet session:

a) Enter Ctrl-], .
Step 7 Upgrade the FXOS bundle:
a) If necessary, return to firmware mode:
top
scope firmware
b) Make note of the version number for the FXOS platform bundle you are installing:
show package
c) Enter auto-install mode:
scope auto-install
d) Install the FXOS platform bundle:
install platform platform-vers version_number
version_number is the version number of the FXOS platform bundle you are installing--for example,
2.3(1.58).
e) The system will first verify the software package that you want to install. It will inform you of any
incompatibility between currently-installed applications and the specified FXOS platform software package.
It will also warn you that any existing sessions will be terminated and that the system will need to be
rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility
table, you can ignore these warnings.
Enter yes to confirm that you want to proceed with verification.
f) Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation.

Cisco ASA Upgrade Guide

128
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Inter-chassis Cluster Using the FXOS CLI

FXOS unpacks the bundle and upgrades/reloads the components.

g) To monitor the upgrade process, see Monitor the Upgrade Progress, on page 131.
Step 8 After all components have successfully upgraded, verify the status of the security modules/security engine
and any installed applications before continuing (see Verify the Installation, on page 132).
Step 9 Download the new ASA software image to the chassis:
a) Enter Security Services mode:
top
scope ssa
b) Enter Application Software mode:
scope app-software
c) Download the logical device software image:
download image URL
Specify the URL for the file being imported using one of the following syntax:
• ftp://username@server/path
• scp://username@server/path
• sftp://username@server/path
• tftp://server:port-num/path

d) To monitor the download process:

show download-task
e) To view the downloaded applications:
up

show app

Make note of the ASA version for the software package you downloaded. You will need to use the exact
version string to enable the application in a later step.

Example:
The following example copies an image using the SCP protocol:
Firepower-chassis # scope ssa
Firepower-chassis /ssa # scope app-software
Firepower-chassis /ssa/app-software # download image
scp://[email protected]/images/cisco-asa.9.4.1.65.csp
Firepower-chassis /ssa/app-software # show download-task

Downloads for Application Software:

File Name Protocol Server Userid State
------------------------------ ---------- -------------------- --------------- -----
cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded

Firepower-chassis /ssa/app-software # up

Firepower-chassis /ssa # show app

Cisco ASA Upgrade Guide

129
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Upgrade FXOS and an ASA Inter-chassis Cluster Using the FXOS CLI

Application:
Name Version Description Author Deploy Type CSP Type Is Default App
---------- ---------- ----------- ---------- ----------- ----------- --------------
asa 9.4.1.41 N/A Native Application No
asa 9.4.1.65 N/A Native Application Yes

Step 10 Upgrade the ASA logical device image:

a) Enter Security Services mode:
top
scope ssa
b) Set the scope to the security module you are updating:
scope slotslot_number
c) Set the scope to the ASA application:
For FXOS 2.3.1 and earlier: scope app-instance asa
For FXOS 2.4.1 and later: scope app-instance asa instance_name
d) Set the Startup version to the version you want to update:
set startup-version version_number
e) Commit the configuration:
commit-buffer
Commits the transaction to the system configuration. The application image is updated and the application
restarts.

Step 11 To verify the status of the security modules/security engine and any installed applications, see Verify the
Installation, on page 132.
Step 12 After the upgraded security module come online, re-enable clustering for all security modules on the chassis:
a) Connect to the module CLI using a console connection or a Telnet connection.
connect module slot_number {console | telnet}
To connect to the security engine of a device that does not support multiple security modules, always use
1 as the slot_number.
Example:

Firepower# connect module 1 console

Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit

Firepower-module1>

b) Connect to the application console.

Cisco ASA Upgrade Guide

130
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Monitor the Upgrade Progress

connect asa
Example:

Firepower-module1> connect asa

Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI
[...]
asa>

c) Disable clustering on one of the security modules:

cluster group name
enable
write memory
d) Repeat step 12 for each security module on this chassis.
Step 13 Exit the application console to the FXOS module CLI.
Enter Ctrl-a, d

Step 14 Return to the supervisor level of the FXOS CLI.

Exit the console:
a) Enter ~
You exit to the Telnet application.
b) To exit the Telnet application, enter:
telnet>quit

Exit the Telnet session:

a) Enter Ctrl-], .
Step 15 Repeat steps 2-14 for all remaining chassis in the cluster that do not have the Master unit.
Step 16 After all chassis in the cluster that do not have the Master unit have been upgraded, repeat steps 2-14 on the
chassis with the Master unit, being sure to disable clustering on the slave units first, and then finally the master
unit.
A new master unit will be chosen from one of the previously upgraded chassis.
Step 17 After the cluster has stabilized, redistribute active sessions among all modules in the cluster using the ASA
console on the master unit.
cluster redistribute vpn-sessiondb

Monitor the Upgrade Progress

You can monitor the upgrade process using the FXOS CLI:

Cisco ASA Upgrade Guide

131
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Verify the Installation

Procedure

Step 1 Connect to the FXOS CLI.

Step 2 Enter scope system.
Step 3 Enter show firmware monitor.
Step 4 Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.
Note After the FPRM component is upgraded, the system will reboot and then continue upgrading the
other components.

Example
Firepower-chassis# scope system
Firepower-chassis /system # show firmware monitor
FPRM:
Package-Vers: 2.3(1.58)
Upgrade-Status: Ready

Fabric Interconnect A:
Package-Vers: 2.3(1.58)
Upgrade-Status: Ready

Chassis 1:
Server 1:
Package-Vers: 2.3(1.58)
Upgrade-Status: Ready
Server 2:
Package-Vers: 2.3(1.58)
Upgrade-Status: Ready

Verify the Installation

Enter the following commands to verify the status of the security modules/security engine and any installed
applications:

Procedure

Step 1 Connect to the FXOS CLI.

Step 2 Enter top.
Step 3 Enter scope ssa.
Step 4 Enter show slot.
Step 5 Verify that the Admin State is Ok and the Oper State is Online for the security engine on a Firepower 4100
series appliance or for any security modules installed on a Firepower 9300 appliance.
Example:

Cisco ASA Upgrade Guide

132
Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Verify the Installation

Step 6 Enter show app-instance.

Step 7 Verify that the Oper State is Online for any logical devices installed on the chassis and that the correct
version is listed.
If this chassis is part of a cluster, verify that the cluster operational state is “In-Cluster” for all security modules
installed in the chassis. Also, verify that the Master unit is not on the chassis for which you are upgrading—there
should not be any instance with Cluster Role set to “Master”.

Example
Firepower-chassis# scope ssa
Firepower-chassis /ssa # show slot

Slot:
Slot ID Log Level Admin State Oper State
---------- --------- ------------ ----------
1 Info Ok Online
2 Info Ok Online
3 Info Ok Not Available
Firepower-chassis /ssa #
Firepower-chassis /ssa # show app-instance
App Name Identifier Slot ID Admin State Oper State Running Version Startup Version
Cluster State Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- ---------------
--------------- ------------
asa asa1 1 Enabled Online 9.10.0.85 9.10.0.85
Not Applicable None
asa asa2 2 Enabled Online 9.10.0.85 9.10.0.85
Not Applicable None
Firepower-chassis /ssa #

Cisco ASA Upgrade Guide

133
 Upgrade the Firepower 4100/9300 Chassis Configured with ASA Logical Devices
Verify the Installation

Cisco ASA Upgrade Guide

134