Cisco ASA IOS Upgrade/Downgrade CLI

edledge Cisco logo

Make: Cisco ASA
: ASA 5506-X, ASA 5506 W-X, ASA 5508-X
Mode: CLI (Command Line Interface)
Description: In this article, we will discuss the stepwise method to upgrade and/or downgrade the IOS of Cisco ASA Firewalls. This article contains the CLI method of upgrading Cisco IOS. We can upgrade the IOS via GUI as well. Follow the link to get GUI method to upgrade IOS of ASA. Select the IOS Version and download it from the Cisco Software Download Center and save it in the local Computer.

ASA Image Upgrade

Step1: Login
Login to the Firewall via CLI

Step2: Current Version
To check the current version of the ASA follows the command shown below.

edledge-asa# sh version
Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)

Compiled on Sun 27-Aug-17 13:06 PDT by builders
System image file is "disk0:/asa982-lfbff-k8.SPA"
Config file at boot was "startup-config"

edledge-asa up 8 days 18 hours

Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

<.......Overall output of the "sh version" command wil be long hence it has been shorten and only
top few lines are showed.....>

Step3: Check Flash
Check “flash:” to know free available space and also the files it already has. Follow the steps shown below

edledge-asa# sh flash:
--#-- --length-- -----date/time------ path
94 108563072 Jan 04 2020 00:03:20 asa982-lfbff-k8.SPA
95 26970456 Jan 04 2020 00:03:40 asdm-782.bin
96 33 Jan 26 2021 11:07:55 .boot_string
11 4096 Jan 04 2020 00:07:00 log
13 625 Jan 25 2021 15:24:46 log/asa-appagent.log
21 4096 Jan 04 2020 00:07:52 crypto_archive
22 4096 Jan 04 2020 00:07:54 coredumpinfo
23 59 Jan 04 2020 00:07:54 coredumpinfo/coredump.cfg

7859437568 bytes total (4393017344 bytes free)

Step4: TFTP Connection
Check and ensure TFTP is accessible. Let us consider here TFTP host IP is

edledge-asa# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Step5: Transfer IOS File
Since TFTP is accessible, we can transfer the IOS file to the ASA. Follow the commands shown below.

edledge-asa# copy tftp flash:

Address or name of remote host []?

Source filename []? asa9-13-1-10-lfbff-k8.SPA

Destination filename [asa9-13-1-10-lfbff-k8.SPA]? [ENTER]

Accessing tftp://!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asa9-13-1-10-lfbff-k8.SPA...

Computed Hash SHA2: 5555f952834545f95222b4545f952cc8

Embedded Hash SHA2: 5555f952834545f95222b4545f952cc8

Digital signature successfully validated

Writing file disk0:/asa9-13-1-10-lfbff-k8.SPA...

107571680 bytes copied in 125.180 secs (860573 bytes/sec)

Step6: Boot System
Check the current boot system

edledge-asa# sh boot

BOOT variable = disk0:/asa982-lfbff-k8.SPA
Current BOOT variable = disk0:/asa982-lfbff-k8.SPA
CONFIG_FILE variable =
Current CONFIG_FILE variable =

Step7: Change Boot System
Change the boot system to new uploaded IOS as shown below

edledge-asa(config)# boot system flash:asa9-13-1-10-lfbff-k8.SPA
INFO: Converting flash:asa9-13-1-10-lfbff-k8.SPA to disk0:/asa9-13-1-10-lfbff-k8.SPA

Step8: Confirm Boot System
Check and confirm that the boot system is set for the new IOS image.

edledge-asa# sh boot

BOOT variable =
Current BOOT variable = disk0:/asa9-13-1-10-lfbff-k8.SPA
CONFIG_FILE variable =
Current CONFIG_FILE variable =

Step9: Save Change & Reload
Save the changes so that the latest boot settings should be saved and then reload the ASA to boot with the latest ISO image.

<save the config>

edledge-asa# wr
Building configuration...
Cryptochecksum: 845e144f f45e143e 945e144f 945e144f

3384 bytes copied in 0.170 secs

<reload the ASA>

edledge-asa# reload
Proceed with reload? [confirm]

ASDM Image Upgrade

Follow Steps 1 to 4 Same as earlier as mentioned above.

Step10: Load the “ASDM” image. As shown below:

edledge-asa# copy tftp flash:

Address or name of remote host []?

Source filename []? asdm-openjre-7131-101.bin

Destination filename [asdm-openjre-7131-101.bin]? [ENTER]

Accessing tftp://!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-openjre-7131-101.bin...
Writing file disk0:/asdm-openjre-7131-101.bin...

INFO: No digital signature found
110660520 bytes copied in 130.940 secs (851234 bytes/sec)

Step11: ASDM Boot System
Change the ASDM boot system to latest ASDM image.

edledge-asa(config)# asdm image flash:asdm-openjre-7131-101.bin

Step12: Check and Save ASDM Boot File

<check asdm boot image>
edledge-asa# sh asdm image
Device Manager image file, disk0:/asdm-openjre-7131-101.bin

<save running configuration>
edledge-asa# wr
Building configuration...
Cryptochecksum: 845e144f e144f13e e144f44f e144f44f

3384 bytes copied in 0.160 secs

Reload the ASA. After reloading the ASA will have a new ASA and ASDM image.

There are many types of IOS available on the Cisco Software Download Center and it creates confusion about which is the best. Refer to Cisco IOS or Firmware Release Types to understand the different types of IOS.

Source: Cisco, Knowledge Base, Internet


Leave a Reply

Your email address will not be published. Required fields are marked *