Prerequisites for ASA and ASDM Upgrade in CDO

Cisco Defense Orchestrator (CDO) provides a wizard that helps you upgrade the ASA and ASDM images installed on an individual ASA, multiple ASAs, ASAs in an active-standby configuration, and ASAs running in single-context or multi-context mode.

CDO maintains a repository of ASA and ASDM images that you can upgrade to. When you choose your upgrade images from CDO's image repository, CDO performs all the necessary upgrade steps behind the scenes. The wizard guides you through the process of choosing compatible ASA software and ASDM images, installs them, and reboots the device to complete the upgrade. We secure the upgrade process by validating that the images you chose on CDO are the ones copied to, and installed on, your ASA. CDO periodically reviews its inventory of ASA binaries and adds the newest ASA and ASDM images to its repository when they are available. This is the best option for customers whose ASAs have outbound access to the internet.

CDO's image repository only contains generally available (GA) images. If you do not see a specific GA image in the list, please contact Cisco TAC or email support from the Contact Support page. We will process the request using the established support ticket SLAs and upload the missing GA image.

If your ASAs do not have outbound access to the internet, you can download the ASA and ASDM images you want from Cisco.com, store them in your own repository, provide the upgrade wizard with a custom URL to those images, and CDO performs upgrades using those images. In this case, however, you determine what images you want to upgrade to. CDO does not perform the image integrity check or disk-space check. You can retrieve the images from your repository using any of these protocols: FTP, TFTP, HTTP, HTTPS, SCP, and SMB.

Configuration Prerequisites for All ASAs

DNS needs to be enabled on the ASA.
ASA should be able to reach the internet if you use upgrade images from CDO's image repository.
Ensure HTTPS connectivity between the ASA and the repository FQDN.
The ASA has been successfully onboarded to CDO.
The ASA is synced to CDO.
The ASA is online.
For custom URL upgrades:
- Use the Cisco ASA Upgrade Guide to determine what version of ASA and ASDM are compatible with your ASAs.
- Download the ASA and ASDM images to your image repository.
- Ensure that the ASA has access to your image repository.
- Ensure you have enough disk space on your ASA for your ASA and ASDM images.
- Read Custom URL Upgrade for URL syntax information.

Configuration Prerequisites for Firepower 1000 and Firepower 2100 Series Devices

The FXOS mode of a Firepower 2100 series device must be configured for appliance mode. See Set the Firepower 2100 to Appliance or Platform Mode for more information.
The device must be running ASA Version 9.13(1) or later.
You must upgrade the FXOS bundle prior to upgrading the ASA software. See Firepower 2100 ASA and FXOS Compatibility for more information.

Firepower 4100 and Firepower 9300 Series Devices Running ASA

CDO does not support the upgrade for the Firepower 4100 or Firepower 9300 series devices. You must upgrade these devices outside of CDO.

Upgrade Guidelines

CDO can upgrade ASAs configured as an Active/Standby "failover" pair. CDO cannot upgrade ASAs configured in an Active/Active "clustered" pair.

Software and Hardware Prerequisites

Minimum ASA and ASDM versions from which you can upgrade:

ASA: ASA 9.1.2
ASDM: There is no minimum version.

Supported Hardware Versions

See ASA Software and Hardware Support.