Thursday, January 23, 2020

ASA Upgrade / Downgrade Questions and Advice

We have a smattering of ASAs of the 5506, 5515, 5516, and 5525 variety serving various critical and non-production purposes. All run pure ASA code with no FTD. Most of them are due for security updates, which is what prompted this post. Most are on 9.0 to 9.8 which will be trivial to upgrade to the latest interim 9.8.4.

However, several of the newer installs were deployed with (not my fault, but probably my oversight) various flavors of 9.9.2 installed. This has now been depreciated, and so we need to move to a main branch release. Normally, this would be 9.10.x or 9.12.x as we like to stay with starred release trains. However, neither train is a starred release for the 5506/5516 models. We would also like (ideally, but not at all a deal breaker) to keep everything on the same version (9.8.4) for simplicity's sake.

So assuming we downgrade from 9.9.2 to 9.8.4, my questions for those who have first-hand experience are:

  • Is downgrading an ASA as technically simple as an upgrade?
  • Can I follow the same upgrade path rules in the release notes but backwards?
  • Does anyone have experience downgrading active/standby pairs?
  • Is it worth upgrading the ROMMON code, if available, even if not required?

I would also like to run a single ASA on the new code for a few days to make sure we don't have any issues with the new OS.

  • Is there an issue running an active/standby on upgrade-compatible but different OS versions for any length of time? If we do have issues, I'd like to be able to fail-over the pair to the old software--is this asking too much?

We don't ask much of our ASAs. The critical devices are basically NAT appliances with basic zone-based rules. All the crypto and VPN tasks are done on non-critical, standalone devices.

Thanks



No comments:

Post a Comment