About Upgrading ASA and ASDM Images
Cisco Defense Orchestrator (CDO) provides a wizard that helps you upgrade the ASA and ASDM images installed on an individual ASA, multiple ASAs, ASAs in an active-standby configuration, and ASAs running in single-context or multi-context mode.
CDO maintains a repository of ASA and ASDM images that you can upgrade to. When you choose your upgrade images from CDO's image repository, CDO performs all the necessary upgrade steps behind the scenes. The wizard guides you through the process of choosing compatible ASA software and ASDM images, installs them, and reboots the device to complete the upgrade. We secure the upgrade process by validating that the images you chose on CDO are the ones copied to, and installed on, your ASA. CDO periodically reviews its inventory of ASA binaries and adds the newest ASA and ASDM images to its repository when they are available. This is the best option for customers whose ASAs have outbound access to the internet.
CDO's image repository only contains generally available (GA) images. If you do not see a specific GA image in the list, please contact Cisco TAC or email support from the Contact Support page. We will process the request using the established support ticket SLAs and upload the missing GA image.
If your ASAs do not have outbound access to the internet, you can download the ASA and ASDM images you want from Cisco.com, store them in your own repository, provide the upgrade wizard with a custom URL to those images, and CDO performs upgrades using those images. In this case, however, you determine what images you want to upgrade to. CDO does not perform the image integrity check or disk-space check. You can retrieve the images from your repository using any of these protocols: FTP, TFTP, HTTP, HTTPS, SCP, and SMB.
Before You Upgrade
- DNS needs to be enabled on the ASA.
- ASA should be able to reach the internet if you use upgrade images from CDO's image repository.
- The ASA has been successfully onboarded to CDO.
- The ASA is synced to CDO.
- The ASA is online.
- For custom URL upgrade: Use the Cisco ASA Upgrade Guide to determine what version of ASA and ASDM are compatible with your ASAs.
- For custom URL upgrade: Download the ASA and ASDM images to your image repository.
- For custom URL upgrade: Ensure that the ASA has access to your image repository.
- For custom URL upgrade: Ensure you have enough disk space on your ASA for your ASA and ASDM images.
- For custom URL upgrade: Read Custom URL Upgrade for URL syntax information.
Configuration Prerequisites for 1000 and 2000 Series
- The FXOS mode of a 2000 series device must be configured for appliance mode. See Set the Firepower 2100 to Appliance or Platform Mode for more information.
- The device must be running at least ASA Version 9.13(1).
- You must upgrade the FXOS bundle prior to upgrading the ASA software. See Firepower 2100 ASA and FXOS Compatibility for more information.
4100 and 9300 Series Running ASA
CDO does not support the upgrade for the 4100 or 9300 series devices. You must upgrade these devices outside of CDO.
- CDO can upgrade ASAs configured as an Active/Standby "failover" pair. CDO cannot upgrade ASAs configured in an Active/Active "clustered" pair.
Software and Hardware Prerequisites
Minimum ASA and ASDM versions from which you can upgrade:
- ASA: ASA 9.1.2
- ASDM: There is no minimum version.