Cisco ASA Compatibility
This document lists the Cisco ASA software and hardware compatibility and requirements.
ASA and ASDM Compatibility Per Model
This section lists ASA and ASDM compatibility per model.
ASA 9.10 to 9.5
Releases in bold are the recommended versions.
|
ASA |
ASDM |
ASA Model |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X |
ASA 5512-X 5515-X 5525-X 5545-X 5555-X |
ASA 5585-X |
ASAv |
ASASM |
ASA on Firepower 2110 2120 2130 2140 |
ASA on Firepower 4110 4120 4140 4150 |
ASA on Firepower 9300 |
ISA 3000 |
||
|
9.10(1) |
7.10(1)+ |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
|
9.9(2) |
7.9(2)+ |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
|
9.9(1) |
7.9(1)+ |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
|
9.8(2) |
7.8(2)+ |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
YES |
|
9.8(1.200) |
No support |
— |
— |
— |
YES |
— |
— |
— |
— |
— |
|
9.8(1) |
7.8(1)+ |
YES |
YES |
YES |
YES (+ASAv50) |
YES |
— |
YES |
YES |
YES |
|
9.7(1.4) |
7.7(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
YES |
YES |
YES |
|
9.6(4) |
7.9(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
YES |
YES |
YES |
|
9.6(3.1) |
7.7(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
YES |
YES |
YES |
|
9.6(2) |
7.6(2)+ |
YES |
YES |
YES |
YES |
YES |
— |
YES |
YES |
YES |
|
9.6(1) |
7.6(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
YES (except 4150) |
YES |
YES |
|
9.5(3.9) |
7.6(2)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
YES |
|
9.5(2.200) |
7.5(2.153)+ |
— |
— |
— |
YES |
— |
— |
— |
— |
— |
|
9.5(2.2) |
7.5(2)+ |
— |
— |
— |
— |
— |
— |
— |
YES |
— |
|
9.5(2.1) |
7.5(2)+ |
— |
— |
— |
— |
— |
— |
— |
YES |
— |
|
9.5(2) |
7.5(2)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
YES |
|
9.5(1.200) |
7.5(1)+ |
— |
— |
— |
YES |
— |
— |
— |
— |
— |
|
9.5(1.5) |
7.5(1.112)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
|
9.5(1) |
7.5(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
ASA 9.4 to 9.3
|
ASA |
ASDM |
ASA Model |
||||||
|---|---|---|---|---|---|---|---|---|
|
ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X |
ASA 5512-X 5515-X 5525-X 5545-X 5555-X |
ASA 5585-X |
ASAv |
ASASM |
ASA on Firepower 9300 |
ISA 3000 |
||
|
9.4(4.5) |
7.6(2)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
9.4(3) |
7.6(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
9.4(2.146) |
7.5(1.112)+ |
— |
— |
— |
— |
— |
YES |
— |
|
9.4(2.145) |
7.5(1.112)+ |
— |
— |
— |
— |
— |
YES |
— |
|
9.4(2) |
7.5(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
9.4(1.225) |
7.5(1)+ |
— |
— |
— |
— |
— |
— |
YES |
|
9.4(1.200) |
7.4(2)+ |
— |
— |
— |
YES |
— |
— |
— |
|
9.4(1.152) |
7.4(3)+ |
— |
— |
— |
— |
— |
YES |
— |
|
9.4(1) |
7.4(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
9.3(3.8) |
7.4(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
9.3(3) |
7.4(1)+ |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
9.3(2.200) |
7.3(2)+ |
— |
— |
— |
YES |
— |
— |
— |
|
9.3(2) |
7.3(3)+ |
YES (5506-X only) |
YES |
YES |
YES |
YES |
— |
— |
|
7.3(2)+ |
YES (5506-X only) |
YES |
YES |
YES |
YES |
— |
— |
|
|
9.3(1) |
7.3(1)+ |
— |
YES |
YES |
YES |
YES |
— |
— |
ASA 9.2 to 9.1
|
ASA |
ASDM |
ASA Model | |||
|---|---|---|---|---|---|
|
ASA 5512-X 5515-X 5525-X 5545-X 5555-X |
ASA 5585-X |
ASAv |
ASASM |
||
|
9.2(4.5) |
7.4(3)+ |
YES |
YES |
YES |
YES |
|
9.2(4) |
7.4(3)+ |
YES |
YES |
YES |
YES |
|
9.2(3) |
7.3(1.101)+ |
YES |
YES |
YES |
YES |
|
9.2(2.4) |
7.2(2)+ |
YES |
YES |
YES |
YES |
|
9.2(1) |
7.2(1)+ |
YES |
YES |
YES |
YES |
|
9.1(7.4) |
7.5(2)+ |
YES |
YES |
— |
YES |
|
9.1(6) |
7.1(7)+ |
YES |
YES |
— |
YES |
|
9.1(5) |
7.1(6)+ |
YES |
YES |
— |
YES |
|
9.1(4) |
7.1(5)+ |
YES |
YES |
— |
YES |
|
9.1(3) |
7.1(4)+ |
YES |
YES |
— |
YES |
|
9.1(2) |
7.1(3)+ |
YES |
YES |
— |
YES |
|
9.1(1) |
7.1(1)+ |
YES |
YES |
— |
YES |
ASA 9.0 to 8.4
|
ASA |
ASDM |
ASA Model |
||
|---|---|---|---|---|
|
ASA 5512-X 5515-X 5525-X 5545-X 5555-X |
ASA 5585-X |
ASASM |
||
|
9.0(4) |
7.1(4)+ |
YES |
YES |
YES |
|
9.0(3) |
7.1(3)+ |
YES |
YES |
YES |
|
9.0(2) |
7.1(2)+ |
YES |
YES |
YES |
|
9.0(1) |
7.0(1)+ |
YES |
YES |
YES |
|
8.7(1.1) |
6.7(1) |
— |
— |
— |
|
8.6(1) |
6.6(1) |
YES |
— |
— |
|
8.5(1) |
6.5(1) |
— |
YES |
YES |
|
8.4(7) |
7.1(3)+ |
— |
YES |
— |
|
8.4(6) |
7.1(2.102)+ |
— |
YES |
— |
|
8.4(5) |
7.0(2)+ |
— |
YES |
— |
|
8.4(4.1) |
6.4(9)+ |
— |
YES |
— |
|
8.4(3) |
6.4(7)+ |
— |
YES |
— |
|
8.4(2) |
6.4(5)+ |
— |
YES |
— |
|
8.4(1) |
6.4(1)+ |
— |
YES |
— |
ASA 8.3 to 7.2
|
ASA |
ASDM |
ASA Model |
|---|---|---|
|
ASA 5585-X |
||
|
8.3(2) |
6.3(2)+ |
— |
|
8.3(1) |
6.3(1)+ |
— |
|
8.2(5) |
6.4(3)+ |
YES |
|
8.2(4) |
6.3(5)+ |
YES |
|
8.2(3) |
6.3(4)+ |
YES |
ASA and VPN Compatibility
For ASA and VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
Firepower 4100/9300 Compatibility with the ASA or Firepower Threat Defense
The following table lists compatibility between the ASA OS or Firepower Threat Defense OS with FXOS and Firepower models.
The ASA and Firepower Threat Defense versions in bold are companion releases to the FXOS version; for a given FXOS version, use the application version listed in bold. Use older compatible versions of the application only in the context of upgrades. Note that for upgrade-compatible versions, you may be prompted that the application version is not compatible with the new FXOS version; in this case, indicate Yes to continue with the upgrade. You are expected to upgrade the application version as soon as possible.
The FXOS versions with (EoL) appended have reached their end of life (EoL), or end of support
 Note |
Firepower 2100 series appliances utilize FXOS only as an underlying operating system that is included in the ASA and Firepower Threat Defense unified image bundles. |
|
FXOS Version |
Firepower Model |
ASA OS |
Firepower Threat Defense OS |
||||
|---|---|---|---|---|---|---|---|
|
2.4(1) |
Firepower 4110 Firepower 4120 Firepower 4140 Firepower 4150 |
9.10(1) 9.9(2) 9.9(1) 9.8(x) 9.6(3)
|
6.3(0) 6.2(3) 6.2.2 6.2.0 6.1.0 |
||||
|
Firepower 9300 |
|||||||
|
2.3(1) |
Firepower 4110 Firepower 4120 Firepower 4140 Firepower 4150 |
9.9(2) 9.9(1) 9.8(x) 9.7(x) 9.6(3) |
6.2.3 6.2.2 6.2.0 6.1.0 |
||||
|
Firepower 9300 |
|||||||
|
2.2(2) |
Firepower 4110 Firepower 4120 Firepower 4140 Firepower 4150 |
9.8(x) |
6.2.2 6.2.0 |
||||
|
Firepower 9300 |
|||||||
|
2.2(1) |
Firepower 4110 Firepower 4120 Firepower 4140 Firepower 4150 |
9.8(1) 9.7(x)
|
6.2.0
|
||||
|
Firepower 9300 |
|||||||
|
2.1(1) |
Firepower 4110 Firepower 4120 Firepower 4140 Firepower 4150 |
9.7(x) 9.6(2), 9.6(3) |
6.2.0 6.1.0 |
||||
|
Firepower 9300 |
|||||||
|
2.0(1) |
Firepower 4110 Firepower 4120 Firepower 4140 Firepower 4150 |
9.6(2), 9.6(3) 9.6(1) |
6.1.0 6.0.1 |
||||
|
Firepower 9300 |
|||||||
|
1.1(4) |
Firepower 4110 Firepower 4120 Firepower 4140 |
9.6(1) 9.5(2), 9.5(3) |
6.0.1 |
||||
|
Firepower 9300 |
|||||||
|
1.1(3) |
Firepower 9300 |
9.5(2), 9.5(3) 9.4(2) |
— |
||||
|
1.1(2) |
Firepower 9300 |
9.4(2) 9.4(1) |
— |
||||
|
1.1(1) (EoL) |
Firepower 9300 |
9.4(1) |
— |
Firepower 2100 ASA and FXOS Bundle Versions
Firepower 2100 series appliances utilize FXOS as an underlying operating system that is included in the ASA unified image bundles. The following table lists the ASA and FXOS versions in each released bundle.
Note |
You cannot install ASA or FXOS separately; you must install them both as part of the bundle. |
|
ASA Bundle Version |
FXOS Version |
|---|---|
|
9.10(1) |
2.4(1.92) |
|
9.9(2) |
2.3(1.77) |
|
9.9(1) |
2.3(1.54) |
|
9.8(2) |
2.2(2.52) |
ASAv Hypervisor Compatibility
You can deploy the ASAv on the following hypervisors.
|
Hypervisor |
Version and Details |
ASAv OS |
||||
|---|---|---|---|---|---|---|
|
Amazon Web Services |
Amazon Web Services only supports the following models and instance types:
|
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4) |
||||
|
Kernel-based Virtual Machine (KVM) |
|
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) (ASAv50 support added) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(x) ASA 9.3(2.200), 9.3(3) |
||||
|
Microsoft Azure |
Microsoft Azure supports the ASAv5, ASAv10, and ASAv30 models on the following instance types:
|
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(2), 9.6(3), 9.6(4) ASA 9.5(2.200), 9.5(3) |
||||
|
Microsoft Hyper-V |
The Microsoft Hyper-V hypervisor supports the ASAv5, ASAv10, and ASAv30 models.
|
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(1.200), 9.5(2), 9.5(3) |
||||
|
VMware vSphere |
5.x:
See the VMware documentation for more information about vSphere and hardware requirements: http://www.vmware.com/support/pubs/
|
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) (ASAv50 support added) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(x) ASA 9.3(x) ASA 9.2(x) |
||||
|
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) (ASAv50 support added) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4) |
|||||
|
6.0:
See the VMware documentation for more information about vSphere and hardware requirements: http://www.vmware.com/support/pubs/
|
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) (ASAv50 support added) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4) |
ASA Services Module, IOS, and Switch Compatibility
The following table shows the switch hardware and software compatibility.
|
ASA OS |
Switch Hardware |
Supervisor Engine or Route Switch Processor |
Cisco IOS Release |
|---|---|---|---|
|
9.10(x) 9.9(x) 9.8(x) 9.7(x) 9.6(x) 9.5(x) 9.4(x) 9.3(x) 9.2(x) 9.1(x) 9.0(x) |
Cisco 7604, 7609-S, 7613-S |
SUP 2T with MSFC5 & PFC4 (VS-S2T-10G) SUP 2T with MSFC5 & PFC4XL (VS-S2T-10G-XL) |
15.1(1)SY+ |
|
9.10(x) 9.9(x) 9.8(x) 9.7(x) 9.6(x) 9.5(x) 9.4(x) 9.3(x) 9.2(x) 9.1(x) 9.0(x) |
Cisco 7606-S, 7609-S |
RSP 720 with 10GE ports, MSFC4 & PFC-3C (RSP720-3C-10GE) RSP 720 with 10GE ports, MSFC4 & PFC-3CXL (RSP720-3CXL-10GE) RSP 720 with 2GE ports, MSFC4 & PFC-3C (RSP720-3C-GE) RSP 720 with 2GE ports, MSFC4 & PFC-3CXL (RSP720-3CXL-GE) SUP 720 with MSFC3 & PFC3B (WS-SUP720-3B) SUP 720 with MSFC3 & PFC3BXL (WS-SUP720-3BXL) |
15.2(4)S2+ |
|
9.10(x) 9.9(x) 9.8(x) 9.7(x) 9.6(x) 9.5(x) 9.4(x) 9.3(x) 9.2(x) 9.1(x) 9.0(x) 8.5(1.7)+ |
Catalyst 6500-E |
SUP 2T with MSFC5 & PFC4 (VS-S2T-10G) SUP 2T with MSFC5 & PFC4XL (VS-S2T-10G-XL) |
15.0(1)SY1+ |
|
9.10(x) 9.9(x) 9.8(x) 9.7(x) 9.6(x) 9.5(x) 9.4(x) 9.3(x) 9.2(x) 9.1(x) 9.0(x) 8.5(1.7)+ |
Catalyst 6500-E |
SUP 720-10GE with MSFC3 & PFC3C (VS-S720-10G-3C) SUP 720-10GE with MSFC3 & PFC3CXL (VS-S720-10G-3CXL) SUP 720 with MSFC3 & PFC3B (WS-SUP720-3B) SUP 720 with MSFC3 & PFC3BXL (WS-SUP720-3BXL) |
12.2(33)SXJ2+ (Originally-supported Cisco IOS Version 12.2(33)SXJ1 has a caveat (CSCts88817) that can cause the ASASM to reload under certain circumstances. Therefore, we recommend using Version 12.2(33)SXJ2 or later.) |
|
9.10(x) 9.9(x) 9.8(x) 9.7(x) 9.6(x) 9.5(x) 9.4(x) 9.3(x) 9.2(x) 9.1(x) 9.0(x) 8.5(x) |
Catalyst 6800 series |
SUP 2T with MSFC5 & PFC4 (VS-S2T-10G) SUP 2T with MSFC5 & PFC4XL (VS-S2T-10G-XL) |
15.1(2)SY1+ |
ASA REST API Compatibility
The following table lists ASA REST API and ASA compatibility.
Note |
The ASA 5506-X series does not support the REST API if you are running the FirePOWER module Version 6.0 or later. Disable the ASA REST API using the no rest-api agent command. |
|
ASA |
ASA REST API |
ASA Model |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X |
ASA 5512-X 5515-X 5525-X 5545-X 5555-X |
ASA 5585-X |
ASAv |
ASASM |
ASA on Firepower 2110 2120 2130 2140 |
ASA on Firepower 4110 4120 4140 4150 |
ASA on Firepower 9300 |
ISA 3000 |
||
|
9.10(1) |
1.3(2) |
YES |
YES |
YES |
YES |
— |
— |
YES |
YES |
YES |
|
9.9(2) |
1.3(2) |
YES |
YES |
YES |
YES |
— |
— |
YES |
YES |
YES |
|
9.9(1) |
1.3(2) |
YES |
YES |
YES |
YES |
— |
— |
YES |
YES |
YES |
|
9.8(2) |
1.3(2) |
YES |
YES |
YES |
YES |
— |
— |
YES |
YES |
YES |
|
9.8(1.200) |
1.3(2) |
— |
— |
— |
YES |
— |
— |
— |
— |
— |
|
9.8(1) |
1.3(2) |
YES |
YES |
YES |
YES (+ASAv50) |
— |
— |
YES |
YES |
YES |
|
9.7(1.4) |
1.3(2) |
YES |
YES |
YES |
YES |
— |
— |
YES |
YES |
YES |
|
9.6(4) |
1.3(2) |
YES |
YES |
YES |
YES |
— |
— |
YES |
YES |
YES |
|
9.6(3.1) |
1.3(2) |
YES |
YES |
YES |
YES |
— |
— |
YES |
YES |
YES |
|
9.6(2) |
1.3(2) |
YES |
YES |
YES |
YES |
— |
— |
YES |
YES |
YES |
|
9.6(1) |
1.3(1)+ |
YES |
YES |
YES |
YES |
— |
— |
YES (except 4150) |
YES |
YES |
|
9.5(3.9) |
1.2(2.200)+ |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
YES |
|
9.5(2.200) |
1.2(2.200)+ |
— |
— |
— |
YES |
— |
— |
— |
— |
— |
|
9.5(2.2) |
1.2(2)+ |
— |
— |
— |
— |
— |
— |
— |
YES |
— |
|
9.5(2.1) |
1.2(2)+ |
— |
— |
— |
— |
— |
— |
— |
YES |
— |
|
9.5(2) |
1.2(2)+ |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
YES |
|
9.5(1.200) |
1.2(1)+ |
— |
— |
— |
YES |
— |
— |
— |
— |
— |
|
9.5(1.5) |
1.2(1)+ |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
9.5(1) |
1.2(1)+ |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
9.4(3) |
1.2(1)+ 1.1(1) |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
9.4(2.146) |
1.1(2)+ |
— |
— |
— |
— |
— |
— |
— |
YES |
— |
|
9.4(2.145) |
1.1(2)+ |
— |
— |
— |
— |
— |
— |
— |
YES |
— |
|
9.4(2) |
1.2(1)+ 1.1(1), |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
9.4(1.225) |
1.2(1)+ |
— |
— |
— |
— |
— |
— |
— |
— |
YES |
|
9.4(1.200) |
1.2(1)+ 1.1(1) |
— |
— |
— |
YES |
— |
— |
— |
— |
— |
|
9.4(1.152) |
1.1(2)+ |
— |
— |
— |
— |
— |
— |
— |
YES |
— |
|
9.4(1) |
1.2(1)+ 1.1(1) |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
9.3(2.200) |
1.2(1)+ 1.1(1) 1.0(1) |
— |
— |
— |
YES |
— |
— |
— |
— |
— |
|
9.3(2) |
1.2(1)+ 1.1(1) 1.0(1) |
YES (ASA 5506-X only) |
YES |
YES |
YES |
— |
— |
— |
— |
— |
ASA 5506W-X Wireless Access Point Software Compatibility
The ASA 5506W-X includes a Cisco Aironet 702i wireless access point integrated into the ASA. The access point includes an autonomous Cisco IOS image, which enables individual device management. You can install the lightweightimage if you want to add the ASA 5506W-X to a Cisco Unified Wireless Network and use a wireless LAN controller. See the Converting Autonomous Access Points to Lightweight Mode chapter in the Cisco Wireless Control Configuration Guide for more information about using the lightweight image in unified mode.
The following table shows the supported software for the access point as well as the supported Cisco Wireless LAN Controller software if you convert to unified mode.
|
Built-in Access Point |
Cisco IOS Release |
Cisco Wireless LAN Controller Release |
|---|---|---|
|
Aironet 702i |
15.3(3)JBB+ |
8.1.102.0+ |
ASA and ASA FirePOWER Module Compatibility
Compatibility Table
The following table shows the ASA, ASDM, and ASA FirePOWER support.
|
ASA FirePOWER Version |
ASDM Version (for local management) |
ASA Version |
ASA Model |
|||||
|---|---|---|---|---|---|---|---|---|
|
ASA 5506-X Series |
5508-X 5516-X |
ASA 5512-X |
5515-X 5525-X 5545-X 5555-X |
ASA 5585-X (See below for SSP notes) |
ISA 3000 |
|||
|
6.2.3 |
ASDM 7.9(2)+ |
ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) (No 5506-X) |
YES |
YES |
YES |
YES |
YES |
— |
|
6.2.2 |
ASDM 7.8(2)+ |
ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) (No 5506-X) |
YES |
YES |
YES |
YES |
YES |
— |
|
6.2.0 |
ASDM 7.7(1)+ |
ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) (No 5506-X) |
YES |
YES |
YES |
YES |
YES |
— |
|
6.1.0 |
ASDM 7.6(2)+ |
ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) (No 5506-X) |
YES |
YES |
YES |
YES |
YES |
— |
|
6.0.1 |
ASDM 7.6(1)+ (no ASA 9.4(x) support) |
ASA 9.6(x) ASA 9.5(1.5), 9.5(2), 9.5(3) ASA 9.4(x) Due to CSCuv91730, we recommend that you upgrade to 9.4(2) and later. |
YES |
YES |
YES |
YES |
YES |
— |
|
6.0.0 |
ASDM 7.5(1.112)+ (no ASA 9.4(x) support) |
ASA 9.6(x) ASA 9.5(1.5), 9.5(2), 9.5(3) ASA 9.4(x) Due to CSCuv91730, we recommend that you upgrade to 9.4(2) and later. |
YES |
YES |
YES |
YES |
YES |
— |
|
5.4.1.7+ |
ASDM 7.5(1.112)+ (no ASA 9.4(x) support) |
ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) ASA 9.4(x) ASA 9.4(1.225) (ISA 3000 only) ASA 9.3(2), 9.3(3) (no 5508-X or 5516-X) Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later. |
YES |
YES |
YES |
— |
— |
YES |
|
5.4.1 |
ASDM 7.3(3)+ |
ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(1.5), 9.5(2), 9.5(3) ASA 9.4(x) ASA 9.3(2), 9.3(3) (5506-X only) Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later. |
YES |
YES |
YES |
— |
— |
— |
|
5.4.0.2+ |
— |
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(1.5), 9.5(2), 9.5(3) ASA 9.4(x) ASA 9.3(2), 9.3(3) Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later. |
— |
— |
YES |
YES |
YES |
— |
|
5.4.0.1 |
— |
ASA 9.2(2.4), 9.2(3), 9.2(4) Due to CSCuv91730, we recommend that you upgrade to 9.2(4.5) and later. |
— |
— |
YES |
YES |
YES |
— |
|
5.3.1 |
— |
ASA 9.2(2.4), 9.2(3), 9.2(4) Due to CSCuv91730, we recommend that you upgrade to 9.2(4.5) and later. |
— |
— |
YES |
YES |
YES |
— |
ASA 5585-X SSP Compatibility
Same level SSPs
ASA FirePOWER SSP -10, -20, -40, and -60
Requirements: Install in slot 1, with matching-level ASA SSP in slot 0
Mixed level SSPs
Support for the following combinations starts with version 5.4.0.1.
-
ASA SSP-10/ASA FirePOWER SSP-40
-
ASA SSP-20/ASA FirePOWER SSP-60
-
ASA SSP-40/ASA FirePOWER SSP-60
Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1
Note |
For the SSP40/60 combination, you might see an error message that this combination is not supported. You can ignore the message. |
Firepower 2100 Network Module Compatibility
|
Modules Supported |
Model |
ASA OS |
||
|---|---|---|---|---|
|
Firepower 2130 Firepower 2140 |
ASA 9.10(x)
|
||
|
Firepower 8-port 1G Network Module single-wide (FPR2K-NM-8X1G) |
Firepower 2130 Firepower 2140 |
ASA 9.10(x) |
||
|
Firepower 8-port 10G Network Module single-wide (FPR2K-NM-8X10G) |
Firepower 2130 Firepower 2140 |
ASA 9.10(x) ASA 9.9(x) ASA 9.8(2), 9.8(3) |
ASA 5585-X SSP and Network Module Compatibility
|
Modules Supported |
ASA OS |
|---|---|
|
ASA SSP-20 and -60 Requirements: Single ASA SSP in slot 0 |
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(x) ASA 9.3(x) ASA 9.2(x) ASA 9.1(x) ASA 9.0(x) ASA 8.4(x)) ASA 8.2(3), 8.2(4), 8.2(5) |
|
ASA SSP-10 and -40 Requirements: Single ASA SSP in slot 0 |
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(x) ASA 9.3(x) ASA 9.2(x) ASA 9.1(x) ASA 9.0(x) ASA 8.4(x)) ASA 8.2(4), 8.2(5) |
|
Dual ASA SSPs:
Requirements: Matching-level for both SSPs |
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(x) ASA 9.3(x) ASA 9.2(x) ASA 9.1(x) ASA 9.0(x) ASA 8.4(2), 8.4(3), 8.4(4), 8.4(5), 8.4(6), 8.4(7) |
|
Dual ASA SSPs:
Requirements: Matching-level for both SSPs |
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(x) ASA 9.3(x) ASA 9.2(x) ASA 9.1(x) ASA 9.0(x) |
Requirements: Install one or two network modules in slot 1, with ASA SSP in slot 0 |
ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(x) ASA 9.4(x) ASA 9.3(x) ASA 9.2(x) ASA 9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7) ASA 8.4(4.1), 8.4(5), 8.4(6), 8.4(7) |
ASA and Firepower Threat Defense Clustering External Hardware Support
Clustering will work with both Cisco and non-Cisco switches from other major switching vendors with no known interoperability issues if they comply with the following requirements and recommendations. For switches that have been verified to work with clustering, see the verified switches table below.
Switch Requirements
-
All third party switches must be compliant to the IEEE standard (802.3ad) Link Aggregation Control Protocol.
-
EtherChannel bundling must be completed within 45 seconds when connected to Firepower devices and 33 seconds when connected to ASA devices.
-
On the cluster control link, the switch must provide fully unimpeded unicast and broadcast connectivity at Layer 2 between all cluster members.
-
On the cluster control link, the switch must not impose any limitations on IP addressing or the packet format above Layer 2 headers.
-
On the cluster control link, the switch interfaces must support jumbo frames and be configurable for an MTU above 1600.
Switch Recommendations
-
The switch should provide uniform traffic distribution over the EtherChannel's individual links.
-
The switch should have an EtherChannel load-balancing algorithm that provides traffic symmetry.
-
The EtherChannel load balance hash algorithm should be configurable using the 5-tuple, 4-tuple, or 2-tuple to calculate the hash.
Note |
Cisco does not support the resolution of bugs found in non-verified switches. |
Note |
For the Firepower 9300 cluster, intra-chassis clustering can operate with any switch because Firepower 9300-to-switch connections use standard interface types. |
Note |
Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using ISSUs with clustering. |
Verified Switches
The following table lists verified Cisco external hardware and software to interoperate with clustering.
|
External Hardware |
External Software |
||||
|---|---|---|---|---|---|
|
Cisco Firepower 2100, 4100, and 9300 Cisco ASA Series You can connect a cluster directly to one or more Firepower or ASA chassis in standalone or failover mode, running either ASA or Firepower Threat Defense. For example, you might connect an Active/Standby ASA failover pair in multiple context mode to a Firepower Threat Defense cluster with inline sets (NGIPS mode). |
Any |
||||
|
Cisco ASR 9000 with RSP 440 |
Cisco IOS XR 5.3(1)+ |
||||
|
Cisco Nexus 3000 Cisco Nexus 6000 Cisco Nexus 7000 Cisco Nexus 9500 Cisco Nexus 9300
|
Cisco NX-OS 7.0(2)N1(1)+ APIC 1.0(1)+ |
||||
|
Catalyst 3750-X Catalyst 6500 with Supervisor 2T Catalyst 6800 with Supervisor 2T |
Cisco IOS 15.1(2)SY5+ |
||||
|
Catalyst 6500 with Supervisor 32, 720, and 720-10GE |
Cisco IOS 12.2(33)SXI7, SXI8, and SXI9+ |
||||
|
Catalyst 4500 with Supervisor 8-E |
Cisco IOS XE 3.7(1E)+ |
||||
|
Catalyst 3850 Catalyst 4500-X
|
Cisco IOS 3.7(3)+ |
ASA and Cisco Application Policy Infrastructure Controller (APIC) Compatibility
The following table lists the supported ASA models, ASA software, and APIC versions.
Note |
If you are running an earlier version of the ASA device package or APIC, for best stability we recommend that you upgrade to the minimum versions in this table. |
|
ASA Models |
ASA Version |
ASA Device Package Version |
APIC Version |
|---|---|---|---|
|
ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X |
9.10(x) 9.9(x) 9.8(x) 9.7(x) 9.6(x) 9.5(x) 9.4(x) 9.3(x) 9.2(x) 9.1(x) 9.0(x) 8.6(x) |
1.2(1.2)+ |
1.0(1g)+ |
|
ASA 5585-X |
9.10(x) 9.9(x) 9.8(x) 9.7(x) 9.6(x) 9.5(x) 9.4(x) 9.3(x) 9.2(x) 9.1(x) 9.0(x) 8.4(x) |
1.2(1.2)+ |
1.0(1g)+ |
|
ASAv |
9.10(x) 9.9(x) 9.8(x) 9.7(x) 9.6(x) 9.5(x) 9.4(x) 9.3(x) 9.2(x) |
1.2(1.2)+ |
1.0(1g)+ |
End-of-Life Announcements
See the following pages for ASA software and hardware End-of-Life announcements:
Feedback