Cisco ASA IOS Upgrade/Downgrade GUI

edledge Cisco logo

Scenario:
Make: Cisco ASA
Model: ASA 5506-X, ASA 5506 W-X, ASA 5508-X
Mode : GUI (ASDM)
Description: In this article we will discuss stepwise how to upgrade and/or downgrade the IOS of Cisco ASA Firewalls. This article contains GUI method of upgrading Cisco IOS. We can upgrade the IOS via CLI as well. Follow the link to get CLI method to upgrade IOS of ASA.

If you are looking to upgrade or downgrade the IOS/firmware/image of the Cisco ASA then below mentioned steps will be helpful. Below are the steps to guide how to upgrade & downgrade the ASA IOS and ASDM image.

Upgrade ASA Software

Step1: Download Image or IOS 
Select the IOS Version and download it from the Cisco Software Download Center and save it in the local Computer.

Step 2: Flash Space Check
Check & ensure ASA flash has enough space for new IOS using command shown below.

edledge-asa # sh flash:
--#-- --length-- -----date/time------ path
111 66 Aug 31 2020 14:16:41 .boot_string
112 9241408 Dec 11 2018 11:40:28 asa5500-firmware-1114.SPA
113 111505136 Dec 11 2018 11:48:04 asa992-32-lfbff-k8.SPA
114 41848832 Dec 11 2018 11:55:34 asasfr-5500x-boot-6.0.0-1005.img
115 34143680 Jun 18 2019 11:09:44 asdm-7101.bin
4 4096 Jun 13 2020 09:59:28 log
130 3375 Apr 21 2020 08:51:34 log/asa-appagent.log
131 1034 Jun 27 2020 12:41:04 log/ma_ctx2000.log
16 4096 Dec 11 2018 12:08:46 crypto_archive
19 4096 Dec 11 2018 12:08:48 coredumpinfo
20 59 Dec 11 2018 12:08:48 coredumpinfo/coredump.cfg
116 4096 Dec 12 2018 17:23:24 tmp
17 4096 Jan 03 2019 14:56:44 snmp
18 4 Jun 27 2020 12:43:53 snmp/single_vf
117 107571680 Jun 27 2020 11:33:20 asa9-13-1-10-lfbff-k8.SPA
118 98691 Jan 11 2020 14:07:54 oldconfig_2020Jan11_0837.cfg
120 106686 Jun 13 2020 09:50:28 oldconfig_2020Jun13_0420.cfg
122 109643 Jun 27 2020 11:33:54 oldconfig_2020Jun27_0603.cfg
123 110660520 Jun 27 2020 12:19:08 asdm-openjre-7131-101.bin
7365472256 bytes total (3726716928 bytes free)

If needed [available free space is low] delete old unused IOS images to make some free space.

edledge-asa# delete flash:asa992-32-lfbff-k8.SPA
Delete filename [asa992-32-lfbff-k8.SPA]?
Delete disk0:/asa992-32-lfbff-k8.SPA? [confirm] [ENTER]

Step3: Login into ASA through ASDM

Step4: After logged in into ASA

"Tools" and then "Upgrade Software from Local Computer...."

Step5: Upload file to ASA
Click “Upgrade Software from Local Computer” and You will see the page as shown below



Step6: Flash Selection
Select “ASA” by clicking “Application Profile” drop-down tab as shown below.

Step7: Selecting IOS File
Click “Browse Local Files” and Select the IOS file saved in the local computer in Step 1

Step8: File Path
Select the correct IOS file is selected. IOS file is ready to be uploaded to the ASA. Click “Upload Image“.


Uploading will start as soon as "Upload Image" is clicked, wait util it gets uploaded 100% successfully without any error. Upload status would be as below. 

Step9: System Boot Setting
Just after IOS upload is completed, a prompt to “set the image as boot image” will appear.

“Yes – If you want to boot the ASA with the new image in the next reload.”
“No – If you do not want to boot ASA for the new IOS image now.
Set the boot image later as well.”

If the above option is selected as “Yes” the new uploaded IOS File will be set as Boot Image and in the next ASA reload, ASA will be boot with a new image. A confirmation message will appear once the newly uploaded image will be set as a boot image (if the option is selected as “yes” in Step 9)


Step10: Booting With New IOS
Now Reload the ASA using Reload command.

Upgrade ASDM Software

Follow Steps 1 to 5 Same as earlier as mentioned above.
At Step 6, select “ASDM” instead of “ASA”. As shown below: –

At Step 7, Select the “ASDM” image.


Step 8 and Step 9 will remain the same. Reload the ASA and it will boot up with new ASDM image if "YES" was selected when it was asked to boot ASA with new uploaded Image [Step 9]

Few important points to take care of
1. Ensure the free available space for new IOS image in ASA else it could cause issues
2. If ASAs are in HA pair, we would need to upload IOS image on both Firewalls separately else it will show an error of Version mismatch [as shown below]



3. After primary ASA has been uploaded with a new image and it was reloaded the secondary will boot with the same image and accessing the secondary ASA via ASDM will prompt an error as the other ASA does not has the new ASDM image file in its flash or disk0. Execute command to set the ASDM image to old ASDM image till the time secondary ASA has been uploaded with new images [ASA & ASDM]

edledge-asa# sh asdm image
Device Manager image file, disk0:/asdm-openjre-7131-101.bin

Change it to old existing ASDM image

edledge-asa # sh flash:
--#-- --length-- -----date/time------ path
111 66 Aug 31 2020 14:16:41 .boot_string
112 9241408 Dec 11 2018 11:40:28 asa5500-firmware-1114.SPA
113 111505136 Dec 11 2018 11:48:04 asa992-32-lfbff-k8.SPA
114 41848832 Dec 11 2018 11:55:34 asasfr-5500x-boot-6.0.0-1005.img
115 34143680 Jun 18 2019 11:09:44 asdm-7101.bin
4 4096 Jun 13 2020 09:59:28 log
130 3375 Apr 21 2020 08:51:34 log/asa-appagent.log
131 1034 Jun 27 2020 12:41:04 log/ma_ctx2000.log
16 4096 Dec 11 2018 12:08:46 crypto_archive
19 4096 Dec 11 2018 12:08:48 coredumpinfo
20 59 Dec 11 2018 12:08:48 coredumpinfo/coredump.cfg
116 4096 Dec 12 2018 17:23:24 tmp
17 4096 Jan 03 2019 14:56:44 snmp
18 4 Jun 27 2020 12:43:53 snmp/single_vf
117 107571680 Jun 27 2020 11:33:20 asa9-13-1-10-lfbff-k8.SPA
118 98691 Jan 11 2020 14:07:54 oldconfig_2020Jan11_0837.cfg
120 106686 Jun 13 2020 09:50:28 oldconfig_2020Jun13_0420.cfg
122 109643 Jun 27 2020 11:33:54 oldconfig_2020Jun27_0603.cfg
123 110660520 Jun 27 2020 12:19:08 asdm-openjre-7131-101.bin
7365472256 bytes total (3726716928 bytes free)
edledge-asa(config)# asdm image flash:asdm-7101.bin [ENTER]

Now ASDM will be accessible on secondary ASA as well and IOS/image could be uploaded to secondary ASA.

There are many types of IOS available on the Cisco Software Download Center and it creates confusion about which is the best. Refer to Cisco IOS or Firmware Release Types to understand the different types of IOS. Also if you are Planning Upgrade Cisco ASA To 9.14.1? make sure you have gone through the bug and issues caused by 9.14.x. IOS mentioned in the attached article.

Source: Cisco, Knowledge Base, Internet

EA00010

Leave a Reply

Your email address will not be published.