People often ask what Cisco ASA code version one should be running on. The answer varies based on your specific environment, ASA models and license level. I created this document to track the latest, Cisco ASA code upgrade and recommended versions that are feasible for most environment. The recommendation also takes consideration of the Cisco Security Advisory, any “high” and “critical” bugs and vulnerabilities shall be patched in the code versions recommended.
Please note that the recommendations made here are solely from my experience working with Cisco products and best judgement. You are encouraged to confirm with Cisco TAC and evaluate based on your specific situation.
Cisco ASA Code Upgrade and Recommended Versions
Updated on 2/13/2016:
Critical” security advisory released “Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability” on February 10h 2016.
Updated on 1/30/2016:
“High” security advisory released “Multiple Vulnerabilities in OpenSSL” on January 29th 2016.
Per platform recommendations
ASA5505: 9.2(4.5) ASA 5505 cannot go beyond 9.2(4.5)
ASA non-X models: 9.1(7) These ASAs cannot go beyond 9.1(7)
ASA X models: These models should move to a new version depending on their current version. Here is the excerpt from the page where listed the code with “high” and “critical” vulnerability fixes.
- 9.1 9.1(7)
- 9.2 9.2(4.5)
- 9.3 9.3(3.7)
- 9.4 9.4(2.4)
- 9.5 9.5(2.2)
The ASA’s are single-core devices while the ASA-X’s are multi-core devices. From 9.2 onward, the ASA code was created to be primarily multi-core threaded which is why support was dropped on the single-core platforms.
Why the smallest ASA5505 can run 9.2(4.5) code while other beefier models 5510, 5520, 5540 and 5550 cannot? The ASA5505 has massive distribution – it is in many homes, small businesses, etc. Because of the number of ASA5505s in production, Cisco development made an exception and created a special version of the 9.2 image for it.
Both 9.1(7) and 9.2(4.5) contain the fixes from the Cisco Security Advisory. You can technically move any ASA5505s to 9.1(7) if you prefer the code release to be consistent across your network.
NIST FIPS Compliant vs. Validated Certified
According to Cisco, “the fixed builds are extremely recent. None of them have been officially submitted for FIPS validation yet (most versions are not tested for full validation). FIPS validation is a lengthy process as the code is handed off to the government for elaborate testing. However, all of the versions listed are FIPS compliant in that they are built to meet the requirements of FIPS.”
Memory Requirements
All code from 8.3 onward (8.3, 8.4, 9.0, 9.1, 9.2 and 9.5) carries a RAM requirement of 512M. I have personally had issues trying to run these code versions on ASA5505s with 256M of RAM. Here is a reference table.
| Cisco ASA Model | Pre Cisco ASA 8.3 | Post Cisco ASA 8.3 | Default Shipping RAM on New Cisco ASAs(as of Feb. 2010) |
|---|---|---|---|
| 5505 10-User | 256 MB | 256 MB (512 MB recommended) | 512 MB |
| 5505 50-User | 256 MB | 256 MB (512 MB recommended) | 512 MB |
| 5505 Unlimited-User | 256 MB | 512 MB | 512 MB |
| 5505 Security Plus | 256 MB | 512 MB | 512 MB |
| 5510 | 256 MB | 1 GB | 1 GB |
| 5510 Security Plus | 256 MB | 1 GB | 1 GB |
| 5520 | 512 MB | 2 GB | 2 GB |
| 5540 | 1 GB | 2 GB | 2 GB |
| 5550 | 4 GB | 4 GB | 4 GB |
| 5580-20 | 8 GB | 8 GB | 8 GB |
| 5580-40 | 12 GB | 12 GB | 12 GB |
For a full ASA model vs code compatibility rundown list, you can reference http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html
This document is frequently updated to reflect the latest development, Cisco bug fixes and vulnerability remediation. If you want to get notified when there is an update, please sign up with your email.
hi, you need to remember that after upgrading to 9.1(7) you may hit another bug (sev2): https://tools.cisco.com/bugsearch/bug/CSCux45179
Thanks for the info, Hubert. It says affected versions are 9.1(6.111) and
9.1(7.160). Do you believe 9.1(7) is also affected?