Prerequisites for ASA and ASDM Upgrade in Security Cloud Control
Security Cloud Control provides a wizard that helps you upgrade the ASA and ASDM images installed on an individual ASA, multiple ASAs, ASAs in an active-standby configuration, and ASAs running in single-context or multi-context mode.
Security Cloud Control maintains a repository of ASA and ASDM images that you can upgrade to. When you choose your upgrade images from Security Cloud Control's image repository, Security Cloud Control performs all the necessary upgrade steps behind the scenes. The wizard guides you through the process of choosing compatible ASA software and ASDM images, installs them, and reboots the device to complete the upgrade. We secure the upgrade process by validating that the images you chose on Security Cloud Control are the ones copied to, and installed on, your ASA. Security Cloud Control periodically reviews its inventory of ASA binaries and adds the newest ASA and ASDM images to its repository when they are available. This is the best option for customers whose ASAs have outbound access to the internet.
Security Cloud Control's image repository only contains generally available (GA) images. If you do not see a specific GA image in the list, please contact Cisco TAC or email support from the Contact Support page. We will process the request using the established support ticket SLAs and upload the missing GA image.
If your ASAs do not have outbound access to the internet, you can download the ASA and ASDM images you want from Cisco.com, store them in your own repository, provide the upgrade wizard with a custom URL to those images, and Security Cloud Control performs upgrades using those images. In this case, however, you determine what images you want to upgrade to. Security Cloud Control does not perform the image integrity check or disk-space check. You can retrieve the images from your repository using any of these protocols: FTP, TFTP, HTTP, HTTPS, SCP, and SMB.
Configuration Prerequisites for All ASAs
-
DNS needs to be enabled on the ASA.
-
ASA should be able to reach the internet if you use upgrade images from Security Cloud Control's image repository.
-
Ensure HTTPS connectivity between the ASA and the repository FQDN.
-
The ASA has been successfully onboarded to Security Cloud Control.
-
The ASA is synced to Security Cloud Control.
-
The ASA is online.
-
For custom URL upgrades:
-
Use the Cisco ASA Upgrade Guide to determine what version of ASA and ASDM are compatible with your ASAs.
-
Download the ASA and ASDM images to your image repository.
-
Ensure that the ASA has access to your image repository.
-
Ensure you have enough disk space on your ASA for your ASA and ASDM images.
-
Read Custom URL Upgrade for URL syntax information.
-
Configuration Prerequisites for Firepower 1000 and Firepower 2100 Series Devices
-
The FXOS mode of a Firepower 2100 series device must be configured for appliance mode. See Set the Firepower 2100 to Appliance or Platform Mode for more information.
-
The device must be running ASA Version 9.13(1) or later.
-
You must upgrade the FXOS bundle prior to upgrading the ASA software. See Firepower 2100 ASA and FXOS Compatibility for more information.
Firepower 4100 and Firepower 9300 Series Devices Running ASA
Security Cloud Control does not support the upgrade for the Firepower 4100 or Firepower 9300 series devices. You must upgrade these devices outside of Security Cloud Control.
Upgrade Guidelines
-
Security Cloud Control can upgrade ASAs configured as an Active/Standby "failover" pair. Security Cloud Control cannot upgrade ASAs configured in an Active/Active "clustered" pair.
Software and Hardware Prerequisites
Minimum ASA and ASDM versions from which you can upgrade:
-
ASA: ASA 9.1.2
-
ASDM: There is no minimum version.
Supported Hardware Versions