Planning Upgrade Cisco ASA To 9.14.1?

edledge Cisco logo

If you are planning to upgrade the Cisco ASA to the new Cisco IOS or Software image 9.14.1. (x) then this article will be helpful to you. Cisco has released an interim version of ASA IOS on 28-May-2020 which is compatible with Cisco ASA 5506-X, 5508-X, 5516-X, and ISA 3000. The image can be download from the Cisco Software Download Center (https://software.cisco.com/download/home).

Path to reach the image file (eg. is used for ASA 5508-X)
Downloads Home Security ⇒ Firewalls ⇒ Next-Generation Firewalls (NGFW) ⇒ ASA 5500-X with FirePOWER Services ⇒ ASA 5500-X with FirePOWER Services ⇒ ASA 5508-X with FirePOWER Services ⇒ Adaptive Security Appliance (ASA) Software- 9.14.1 Interim”

Before proceeding with the upgrade compatibility of the ASA with the version should be checked and the release notes of the IOS.

Compatibility (referred from Cisco) : –

Compatibility of Cisco ASA & ASDM image could be checked at Cisco site at:- https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_59003

Let us now discuss the bugs which can cause issues in performance after the image upgrade and why you should go through this article before the upgrade. There are bugs reported which may cause issues after upgrading your ASA to 9.14.1.(x) interim.

For example, two bugs are as below

  • CSCvt89790 : If ASA is running on 9.14.1 then setting “SNMP-Server location” sets the same value for “SNMP-Server contact”. The workaround of this issue is to remove/set SNMP-Server contact manually.
  • CSCvt97205 : If ASA is running on 9.14.1 then SNMP Poll/TRAP to remote site-to-site VPN end fails on the management interface. The workaround of this issue is to use outside interface for SNMP POLL/TRAP and Add the crypto ACL entry for traffic from ASA outside IP to SNMP server IP.

It could be a topic of discussion to having SNMP POLL/TRAP on the outside interface of the ASA. Since the outside interface of the ASA is an internet-facing interface so some of us would not recommend using it. The other possible solution of it to use other available Cisco ASA image i.e. 9.12.1.(x) or 9.13.1.(x).

Symptoms Of Issues After Upgrade To 9.14.1

The most common and major issues will be anything which uses SNMP will stop responding and there will be no output of ASA.

At SolarWinds Orion [SNMP Server End] uses SNMP to polling and trap, hence device will stop responding to the Orion or interfaces will be in “unknown” state as shown in the screenshot below

Solution or Work-Around: – Since it is not good and recommended to keep the SNMP polling interface on the “outside” interface so for now till the Cisco release bug fix, it is advisable to downgrade or upgrade the ASA image to 9.12.1.(x) or 9.13.1.(x).

Source: Cisco, Internet, Knowledge Base

EA00004

Leave a Reply

Your email address will not be published.