Summary

  Subject:

Cisco ASA OS Upgrade Process

   Updated:

2024-05-05

   Author:

Tim Hammond ([email protected])

Leland Petitjean ([email protected])

   Operating Systems:

asa9-14-4-17-smp-k8.bin
asdm-openjre-7181-152.bin

asdm-openjre-7202.bin
asa9-14-4-23-smp-k8.bin

   Background:

The purpose of this walk through is to demonstrate how to upgrade a Cisco ASA's operating systems firmware to a new version.

In this example, we are upgrading (2) Cisco ASA 5555 firewalls.

In this guide, we assume you are upgrading two ASAs that are paired together.

  

Table of Contents

Prework

It is assumed that you have a active Cisco Support contract in place to cover your equipment.

To get the latest NXOS version, go to: https://software.cisco.com/download/home. Login and then browse to your specific firewall model. Then download the latest or your desired NXOS version.

Move the *.bin file to your TFTP server. Check out our Windows - Setup a TFTP Server article.

Update Process

Health Check

Verify that everything is healthy before proceeding. Verify standby is done reloading before rebooting active system. When the output says: "Standby Ready State," it is safe to reboot the active system.

show failover

Create a Backup Config

Before we get to ahead of ourselves, it is a good idea to create a backup of the startup config for both firewalls before we make any changes. To do this, use a console cable or SSH into the firewall, then run the following command:

copy start tftp://192.168.1.50/firewallName01.cfg

Repeat the backup process on the second firewall.

copy start tftp://192.168.1.50/firewallName02.cfg

Firmware Copy process

Engineers or Sys Admins like to leave an old copy of a firmware or config files on the firewalls storage. Cisco ASA firewalls usually have a ton of storage, so to play it safe, don't worry about cleaning this until you have completed the upgrade. You can use the following command to see the contents of the storage if you are curious though.

dir

Alright, let's copy the bits over to the firewall. The format for the command is: copy source destination flash:. Type this from the console or SSH session on the firewall.

Copy over the OS *.bin files.

copy tftp://10.159.101.148/5555x/bin/asdm-openjre-7202.bin disk0: copy tftp://10.159.101.148/5555x/bin/asa9-14-4-23-smp-k8.bin disk0:

Copy over the VPN client installers.

copy tftp://10.159.101.148/5555x/anyconnect/cisco-secure-client-linux64-5.1.1.42-webdeploy-k9.pkg disk0: copy tftp://10.159.101.148/5555x/anyconnect/cisco-secure-client-macos-5.1.1.42-webdeploy-k9.pkg disk0: copy tftp://10.159.101.148/5555x/anyconnect/cisco-secure-client-win-5.1.1.42-webdeploy-k9.pkg disk0: copy tftp://10.159.101.148/5555x/anyconnect/cisco-secure-client-win-arm64-5.1.1.42-webdeploy-k9.pkg disk0:

Copy the new *.bin and *.pkg files to the second firewall.

Both firewalls should be running the same version when you are done.

Checksum Validation

After the file has been copied, please verify the checksum. The original checksum hash can be found on Cisco's website where you downloaded the firmware from.

verify /md5 disk0:/asdm-openjre-7202.bin verify /md5 disk0:/asa9-14-4-23-smp-k8.bin

Upgrade the Firmware

Only upgrade and reboot one firewall at a time to avoid interruptions of service.

Take note of the current version using this command.

show ver

Take note of location and filename of the currently loaded OS version.

show running-config boot system

Enter configure terminal mode then disable the current IOS from loading at boot. Specify the new IOS version that you want to load at the next boot. You will need to enter the file path in the commands.

config t no boot system disk0:/asa9-14-4-17-smp-k8.bin

Set the new *.bin files as the boot version.

boot system disk0:/asa9-14-4-23-smp-k8.bin asdm image disk0:/asdm-openjre-7202.bin

Exit the configure terminal mode then use the shortcut wr to copy the running-config to the startup-config.

exit wr

Are you ready for this? How exciting! Use the reload command to reboot the firewall. When you hit y on your keyboard, the system will reboot. It can take a few seconds for the screen to actually update though.

reload

After the first firewall you updated is fully online, verify everything is healthy BEFORE proceeding to the second firewall. You can run this command on either or both firewalls if you like.

Verify standby is done reloading before rebooting active system. When the output says: "Standby Ready State," it is safe to reboot the active system.

show failover

Remember, when we are working with a pair of firewalls, when we execute one config change on the primary firewall, that config change is replicated to the second firewall. Thus, we do not need to repeat these config changes on the secondary firewall. However, we do need to reboot the secondary firewall for the new firmware to run as the active version. To reload the secondary firewall, run the following command:

failover reload-standby

After the second firewall is fully online, as before, verify everything is healthy. You can run this command on either or both firewalls if you like.

show failover

Lastly, we need to specify the new VPN client packages.

config t webvpn anyconnect image disk0:/cisco-secure-client-linux64-5.1.1.42-webdeploy-k9.pkg 1 anyconnect image disk0:/cisco-secure-client-macos-5.1.1.42-webdeploy-k9.pkg 2 anyconnect image disk0:/cisco-secure-client-win-5.1.1.42-webdeploy-k9.pkg 3 anyconnect image disk0:/cisco-secure-client-win-arm64-5.1.1.42-webdeploy-k9.pkg 4 end wr

Cleanup

To validate our work, use the show version and show boot commands to verify you are now using the new ASA version and that the path to the file is correct.

show ver

As previously stated, often times there are old firmware versions or backup configs on the firewalls. Now is the time you can clean them up. This is by no means required, but at your discretion. Generally speaking, we opt to leave the old NXOS version on the firewall for a few weeks then we remove it (if we remember).

dir del /noconfirm disk0:asa9-14-4-17-smp-k8.bin del /noconfirm disk0:asdm-openjre-7181-152.bin del /noconfirm disk0:anyconnect-win-arm64-4.10.07061-webdeploy-k9.pkg del /noconfirm disk0:anyconnect-linux64-4.10.07061-webdeploy-k9.pkg del /noconfirm disk0:anyconnect-macos-4.10.07061-webdeploy-k9.pkg del /noconfirm disk0:anyconnect-win-4.10.07061-webdeploy-k9.pkg

A cool trick on the ASA firewalls is that you can run commands from one firewall that will execute on the failover firewall by adding "failover exec mate" to the beginning of the command.

failover exec mate del /noconfirm disk0:asa9-14-4-17-smp-k8.bin failover exec mate del /noconfirm disk0:asdm-openjre-7181-152.bin failover exec mate del /noconfirm disk0:anyconnect-win-arm64-4.10.07061-webdeploy-k9.pkg failover exec mate del /noconfirm disk0:anyconnect-linux64-4.10.07061-webdeploy-k9.pkg failover exec mate del /noconfirm disk0:anyconnect-macos-4.10.07061-webdeploy-k9.pkg failover exec mate del /noconfirm disk0:anyconnect-win-4.10.07061-webdeploy-k9.pkg

References