How to Choose the Right Cisco ASA Software Release

cisco-asa

I have some pre-8.3 ASAs that I'm planning to upgrade to standardize on the new NAT semantics. I am aware of the big changes between pre-8.3 and 8.3+ from these two great Q&As.

What is unclear to me is how to choose from the numerous 8.3+ ASA software releases available to me. This is what the software release tree looks like in my Cisco support portal:

enter image description here

For IOS Cisco published How to Choose IOS Software Release which, among other things, defines the nomenclature for the version numbers (ie. format A.B(C)D) and software image type (ie. ED vs. GD etc). I have not found an equivalent document for ASA.

Surely there is some careful release engineering going on by Cisco to strive for stability in some ASA releases and new features in others. I haven't, however, found any document that helps me to sort between the two priorities.

I expect to read the release notes to establish what features are available in each release, but without other information I'd still be guessing at how stable each release is.

I guess I'm left with the following questions:

  1. In general, how do you decide which ASA software release to upgrade to?
  2. Is there a way to get a sense for how stable a particular release is?
  3. What does the .ED suffix mean? What does a numeric .x suffix mean?
  4. Can I glean stability of a release based on the age of major and minor releases? For example, should I expect 8.4.7.ED to be more stable than 9.2.1.ED?

Best Answer

  1. In general, how do you decide which ASA software release to upgrade to?

If the newest major release has been out for a while, I look at the release notes to get a sense if there are no bugs that would affect my network and pick a minor version based on that. Else, I go with the newest version of the second-newest major release--assuming that doesn't have open bugs that would affect my network.

  1. Is there a way to get a sense for how stable a particular release is?

Absolutely, look at the open caveats in the release notes. For software that's been in the wild for a reasonable amount of time, the shorter the list of open caveats, the better. This has held true in my experience going back to 6.x.

  1. What does the .ED suffix mean? What does a numeric .x suffix mean?

ED = early deployment -- "Early Deployment releases offer new feature, platform, or interface support. Most non-major releases contain ED releases." This is a flag to tell you that there's something new--read the release notes as you say but it's usually benign in my experience. A fourth number (.x in your question) is a "interim release" that replaces another version previously released. For 8.4(4.1) ("8.4.4.1" above) there was a "build problem" with 8.4(4) so 8.4(4.1) was put out to replace it.

  1. Can I glean stability of a release based on the age of major and minor releases? For example, should I expect 8.4.7.ED to be more stable than 9.2.1.ED?

Maybe. I'd definitely say 8.4.7, as an example, would be more stable than 9.0 or 9.1, but a point-2 release could have reached sufficient maturity. It really depends on the open caveats and your specific config and use case.

Related Topic