Cisco ASA Compatibility

This document lists the Cisco ASA software and hardware compatibility and requirements.

ASA and ASDM Compatibility Per Model

This section lists ASA and ASDM compatibility per model.

ASA 9.12 to 9.5

Releases in bold are the recommended versions.

Table 1. ASA and ASDM Compatibility: 9.12 to 9.5

ASA

ASDM

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASA 5512-X

5515-X

5525-X

5545-X

5555-X

ASA 5585-X

ASAv

ASASM

Firepower 2110

2120

2130

2140

Firepower 4110

4120

4140

4150

Firepower 4115

4125

4145

Firepower 9300

ISA 3000

9.12(2)

7.12(2)+

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(1)

7.12(1)+

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.10(1)

7.10(1)+

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.9(2)

7.9(2)+

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.9(1)

7.9(1)+

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(4)

7.12(1)+

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(3)

7.9(2.152)+

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(2)

7.8(2)+

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(1.200)

No support

YES

9.8(1)

7.8(1)+

YES

YES

YES

YES (+ASAv50)

YES

YES

YES

YES

9.7(1.4)

7.7(1)+

YES

YES

YES

YES

YES

YES

YES

YES

9.6(4)

7.9(1)+

YES

YES

YES

YES

YES

YES

YES

YES

9.6(3.1)

7.7(1)+

YES

YES

YES

YES

YES

YES

YES

YES

9.6(2)

7.6(2)+

YES

YES

YES

YES

YES

YES

YES

YES

9.6(1)

7.6(1)+

YES

YES

YES

YES

YES

YES (except 4150)

YES

YES

9.5(3.9)

7.6(2)+

YES

YES

YES

YES

YES

YES

9.5(2.200)

7.5(2.153)+

YES

9.5(2.2)

7.5(2)+

YES

9.5(2.1)

7.5(2)+

YES

9.5(2)

7.5(2)+

YES

YES

YES

YES

YES

YES

9.5(1.200)

7.5(1)+

YES

9.5(1.5)

7.5(1.112)+

YES

YES

YES

YES

YES

9.5(1)

7.5(1)+

YES

YES

YES

YES

YES

ASA 9.4 to 9.3

Table 2. ASA and ASDM Compatibility: 9.4 to 9.3

ASA

ASDM

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASA 5512-X

5515-X

5525-X

5545-X

5555-X

ASA 5585-X

ASAv

ASASM

Firepower 9300

ISA 3000

9.4(4.5)

7.6(2)+

YES

YES

YES

YES

YES

9.4(3)

7.6(1)+

YES

YES

YES

YES

YES

9.4(2.146)

7.5(1.112)+

YES

9.4(2.145)

7.5(1.112)+

YES

9.4(2)

7.5(1)+

YES

YES

YES

YES

YES

9.4(1.225)

7.5(1)+

YES

9.4(1.200)

7.4(2)+

YES

9.4(1.152)

7.4(3)+

YES

9.4(1)

7.4(1)+

YES

YES

YES

YES

YES

9.3(3.8)

7.4(1)+

YES

YES

YES

YES

YES

9.3(3)

7.4(1)+

YES

YES

YES

YES

YES

9.3(2.200)

7.3(2)+

YES

9.3(2)

7.3(3)+

YES (5506-X only)

YES

YES

YES

YES

7.3(2)+

YES (5506-X only)

YES

YES

YES

YES

9.3(1)

7.3(1)+

YES

YES

YES

YES

ASA 9.2 to 9.1

Table 3. ASA and ASDM Compatibility: 9.2 to 9.1

ASA

ASDM

 ASA Model

ASA 5505

ASA 5512-X

5515-X

5525-X

5545-X

5555-X

ASA 5585-X

ASAv

ASASM

9.2(4.5)

7.4(3)+

YES

YES

YES

YES

YES

9.2(4)

7.4(3)+

YES

YES

YES

YES

YES

9.2(3)

7.3(1.101)+

YES

YES

YES

YES

YES

9.2(2.4)

7.2(2)+

YES

YES

YES

YES

YES

9.2(1)

7.2(1)+

YES

YES

YES

YES

YES

9.1(7.4)

7.5(2)+

YES

YES

YES

YES

9.1(6)

7.1(7)+

YES

YES

YES

YES

9.1(5)

7.1(6)+

YES

YES

YES

YES

9.1(4)

7.1(5)+

YES

YES

YES

YES

9.1(3)

7.1(4)+

YES

YES

YES

YES

9.1(2)

7.1(3)+

YES

YES

YES

YES

9.1(1)

7.1(1)+

YES

YES

YES

YES

ASA 9.0 to 8.4

Table 4. ASA and ASDM Compatibility: 9.0 to 8.4

ASA

ASDM

ASA Model

ASA 5505

ASA 5512-X

5515-X

5525-X

5545-X

5555-X

ASA 5585-X

ASASM

ASA 1000V

9.0(4)

7.1(4)+

YES

YES

YES

YES

9.0(3)

7.1(3)+

YES

YES

YES

YES

9.0(2)

7.1(2)+

YES

YES

YES

YES

9.0(1)

7.0(1)+

YES

YES

YES

YES

8.7(1.1)

6.7(1)

YES

8.6(1)

6.6(1)

YES

8.5(1)

6.5(1)

YES

8.4(7)

7.1(3)+

YES

YES

8.4(6)

7.1(2.102)+

YES

YES

8.4(5)

7.0(2)+

YES

YES

8.4(4.1)

6.4(9)+

YES

YES

8.4(3)

6.4(7)+

YES

YES

8.4(2)

6.4(5)+

YES

YES

8.4(1)

6.4(1)+

YES

YES

ASA 8.3 to 8.2

Table 5. ASA and ASDM Compatibility: 8.3 to 8.2

ASA

ASDM

ASA Model

ASA 5505

ASA 5585-X

8.3(2)

6.3(2)+

YES

8.3(1)

6.3(1)+

YES

8.2(5)

6.4(3)+

YES

YES

8.2(4)

6.3(5)+

YES

YES

8.2(3)

6.3(4)+

YES

YES

Firepower 4100/9300 Compatibility with the ASA or FTD

The following table lists compatibility between the ASA or FTD applications with FXOS and Firepower models.

The FXOS versions with (EoL) appended have reached their end of life (EoL), or end of support.


Note

The bold versions listed below are specially-qualified companion releases. You should use these software combinations whenever possible because Cisco performs enhanced testing for these combinations.


Note

Firepower 2100 series appliances utilize FXOS only as an underlying operating system that is included in the ASA and Firepower Threat Defense unified image bundles.

Table 6. ASA or FTD, and Firepower 4100/9300 Compatibility

FXOS Version

Firepower Model

ASA Version

FTD Version

2.6(1.157)+

Note 

You can now run ASA 9.12+ and FTD 6.4+ on separate modules in the same Firepower 9300 chassis

Firepower 9300 SM-56

9.12(2) (recommended)

6.4.0 (recommended)

6.3.0

6.2.3

6.2.2

6.2.0

6.1.0

Firepower 4150

Firepower 4145

Firepower 4140

Firepower 4125

Firepower 4120

Firepower 4115

Firepower 4110

9.12(x) (recommended)

9.10(1)

9.9(x)

9.8(x)

9.6(4)

Note 

9.7(x) is not supported.

Firepower 9300 SM-48

Firepower 9300 SM-44

Firepower 9300 SM-40

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.131)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12(x) (recommended)

9.10(1)

9.9(x)

9.8(x)

9.6(4)

Note 

9.7(x) is not supported.

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.4(1.214)+

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.10(1) (recommended)

9.9(x)

9.8(x)

9.6(3), 9.6(4)

Note 

9.7(x) is not supported.

6.3.0 (recommended)

6.2.3

6.2.2

6.2.0

6.1.0

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.4(1.101)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.10(1) (recommended)

9.9(x)

9.8(x)

9.6(3), 9.6(4)

Note 

9.7(x) is not supported.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.73)+

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.9(x) (recommended)

9.8(x)

9.7(x)

9.6(3), 9.6(4)

Note 

9.8(2.12) or later is required for flow offload when running FXOS 2.3(1.130) or later.

6.2.3 (recommended)

6.2.2

6.2.0

6.1.0

Note 

6.2.2.2 or later is required for flow offload when running FXOS 2.3(1.130) or later.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.66)

2.3(1.58)

2.3(1.56)

Note 

FXOS 2.3(1.56), which was briefly available on Cisco.com, is no longer supported. For more information, see the Cisco FXOS Release Notes, 2.3(1).

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.9(x) (recommended)

9.8(x)

9.7(x)

9.6(3), 9.6(4)

Note 

9.8(2.12) or later is required for flow offload when running FXOS 2.3(1.130) or later.

6.2.2 (recommended)

6.2.2

6.2.0

6.1.0

Note 

6.2.2.2 or later is required for flow offload when running FXOS 2.3(1.130) or later.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2(2)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8(x)

(recommended)

6.2.2 (recommended)

6.2.0

Note 

6.2.2 or later is required for flow offload when running FXOS 2.2(2.91) or later.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2(1)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8(1) (recommended)

9.7(x)

Note 

9.7(1.15) or later is required for flow offload.

6.2.0 (recommended)

Note 

6.2.0.3 or later is required for flow offload.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.1(1) (EoL)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.7(x) (recommended)

9.6(2), 9.6(3), 9.6(4)

6.2.0 (recommended)

6.1.0

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.0(1)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.6(2), 9.6(3), 9.6(4) (recommended)

9.6(1)

6.1.0 (recommended)

6.0.1

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

1.1(4)

Firepower 4140

Firepower 4120

Firepower 4110

9.6(1) (recommended)

9.5(2), 9.5(3)

6.0.1 (recommended)

Firepower 9300 SM-36

Firepower 9300 SM-24

1.1(3)

Firepower 9300 SM-36

Firepower 9300 SM-24

9.5(2), 9.5(3) (recommended)

9.4(2)

1.1(2)

Firepower 9300 SM-36

Firepower 9300 SM-24

9.4(2) (recommended)

9.4(1)

1.1(1) (EoL)

Firepower 9300 SM-36

Firepower 9300 SM-24

9.4(1) (recommended)

Firepower 2100 ASA and FXOS Bundle Versions

Firepower 2100 series appliances utilize FXOS as an underlying operating system that is included in the ASA unified image bundles. The following table lists the ASA and FXOS versions in each released bundle.


Note

You cannot install ASA or FXOS separately; you must install them both as part of the bundle.

Table 7. ASA Firepower 2100 ASA and FXOS Bundle Versions

ASA Bundle Version

FXOS Version

9.12(1)

2.6(1.113)

9.10(1)

2.4(1.92)

9.9(2)

2.3(1.77)

9.9(1)

2.3(1.54)

9.8(2)

2.2(2.52)

ASAv Hypervisor Compatibility

You can deploy the ASAv on the following hypervisors.

Table 8. ASAv Hypervisor Compatibility

Hypervisor

Version and Details

ASAv OS

Amazon Web Services

Amazon Web Services only supports the following models and instance types:

  • ASAv10 on the c3.large, c4.large, and m4.large instances

  • ASAv30 on the c3.xlarge, c4.xlarge, and m4.xlarge instances

Note 

The ASAv50 is not supported on Amazon Web Services.

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

Kernel-based Virtual Machine (KVM)

  • qemu-kvm, libvirt-bin, bridge-utils, virt-manager, genisoimage, virtinst, and virsh tools (part of KVM installation).

  • Linux Ubuntu 14.04 LTS host.

    The ASAv has been extensively tested on an Ubuntu 14.04 LTS host, but you can use other Linux distributions.

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x) (ASAv50 support added)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(2.200), 9.3(3)

Microsoft Azure

Microsoft Azure supports the ASAv5, ASAv10, and ASAv30 models on the following instance types:

  • Standard D3 instance

  • Standard D3_v2 instance

Note 

The ASAv50 is not supported on Microsoft Azure.

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(2), 9.6(3), 9.6(4)

ASA 9.5(2.200), 9.5(3)

Microsoft Hyper-V

The Microsoft Hyper-V hypervisor supports the ASAv5, ASAv10, and ASAv30 models.

Note 

The ASAv50 is not supported on Microsoft Hyper-V.

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(1.200), 9.5(2), 9.5(3)

VMware vSphere

5.x:

  • ESXi Server

  • vCenter Server

  • vSphere Web Client or vSphere Client for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note 

You cannot install the ASAv directly on an ESXi host without using vCenter.
Note 

You cannot deploy the ASAv using vCloud Director.

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x) (ASAv50 support added)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(x)

ASA 9.2(x)

  • You can now install the ASAv directly on an ESXi host without using vCenter.

  • OVFTool support

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x) (ASAv50 support added)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

6.0, 6.5:

  • ESXi Server

  • (Optional) vCenter Server

  • vSphere Web Client, vSphere Client, or OVFTool for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note 

You cannot deploy the ASAv using vCloud Director.

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x) (ASAv50 support added)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

ASA Services Module, IOS, and Switch Compatibility

The following table shows the switch hardware and software compatibility.

Table 9. Support for the ASASM

ASA OS

Switch Hardware

Supervisor Engine or Route Switch Processor

Cisco IOS Release

9.12(x)

9.10(x)

9.9(x)

9.8(x)

9.7(x)

9.6(x)

9.5(x)

9.4(x)

9.3(x)

9.2(x)

9.1(x)

9.0(x)

Cisco 7604, 7609-S, 7613-S

SUP 2T with MSFC5 & PFC4 (VS-S2T-10G)

SUP 2T with MSFC5 & PFC4XL (VS-S2T-10G-XL)

15.1(1)SY+

9.12(x)

9.10(x)

9.9(x)

9.8(x)

9.7(x)

9.6(x)

9.5(x)

9.4(x)

9.3(x)

9.2(x)

9.1(x)

9.0(x)

Cisco 7606-S, 7609-S

RSP 720 with 10GE ports, MSFC4 & PFC-3C (RSP720-3C-10GE)

RSP 720 with 10GE ports, MSFC4 & PFC-3CXL (RSP720-3CXL-10GE)

RSP 720 with 2GE ports, MSFC4 & PFC-3C (RSP720-3C-GE)

RSP 720 with 2GE ports, MSFC4 & PFC-3CXL (RSP720-3CXL-GE)

SUP 720 with MSFC3 & PFC3B (WS-SUP720-3B)

SUP 720 with MSFC3 & PFC3BXL (WS-SUP720-3BXL)

15.2(4)S2+

9.12(x)

9.10(x)

9.9(x)

9.8(x)

9.7(x)

9.6(x)

9.5(x)

9.4(x)

9.3(x)

9.2(x)

9.1(x)

9.0(x)

8.5(1.7)+

Catalyst 6500-E

SUP 2T with MSFC5 & PFC4 (VS-S2T-10G)

SUP 2T with MSFC5 & PFC4XL (VS-S2T-10G-XL)

15.0(1)SY1+

9.12(x)

9.10(x)

9.9(x)

9.8(x)

9.7(x)

9.6(x)

9.5(x)

9.4(x)

9.3(x)

9.2(x)

9.1(x)

9.0(x)

8.5(1.7)+

Catalyst 6500-E

SUP 720-10GE with MSFC3 & PFC3C (VS-S720-10G-3C)

SUP 720-10GE with MSFC3 & PFC3CXL (VS-S720-10G-3CXL)

SUP 720 with MSFC3 & PFC3B (WS-SUP720-3B)

SUP 720 with MSFC3 & PFC3BXL (WS-SUP720-3BXL)

12.2(33)SXJ2+

(Originally-supported Cisco IOS Version 12.2(33)SXJ1 has a caveat (CSCts88817) that can cause the ASASM to reload under certain circumstances. Therefore, we recommend using Version 12.2(33)SXJ2 or later.)

9.12(x)

9.10(x)

9.9(x)

9.8(x)

9.7(x)

9.6(x)

9.5(x)

9.4(x)

9.3(x)

9.2(x)

9.1(x)

9.0(x)

8.5(x)

Catalyst 6800 series

SUP 2T with MSFC5 & PFC4 (VS-S2T-10G)

SUP 2T with MSFC5 & PFC4XL (VS-S2T-10G-XL)

15.1(2)SY1+

ASA REST API Compatibility

The following table lists ASA REST API and ASA compatibility.


Note

The ASA 5506-X series does not support the REST API if you are running the FirePOWER module Version 6.0 or later. Disable the ASA REST API using the no rest-api agent command.

Table 10. ASA REST API Compatibility

ASA

ASA REST API

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASA 5512-X

5515-X

5525-X

5545-X

5555-X

ASA 5585-X

ASAv

ASASM

ASA on Firepower 2110

2120

2130

2140

ASA on Firepower 4110

4120

4140

4150

ASA on Firepower 9300

ISA 3000

9.12(1)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.10(1)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.9(2)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.9(1)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.8(2)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.8(1.200)

1.3(2)

YES

9.8(1)

1.3(2)

YES

YES

YES

YES (+ASAv50)

YES

YES

YES

9.7(1.4)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.6(4)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.6(3.1)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.6(2)

1.3(2)

YES

YES

YES

YES

YES

YES

YES

9.6(1)

1.3(1)+

YES

YES

YES

YES

YES (except 4150)

YES

YES

9.5(3.9)

1.2(2.200)+

YES

YES

YES

YES

YES

9.5(2.200)

1.2(2.200)+

YES

9.5(2.2)

1.2(2)+

YES

9.5(2.1)

1.2(2)+

YES

9.5(2)

1.2(2)+

YES

YES

YES

YES

YES

9.5(1.200)

1.2(1)+

YES

9.5(1.5)

1.2(1)+

YES

YES

YES

YES

9.5(1)

1.2(1)+

YES

YES

YES

YES

9.4(3)

1.2(1)+

1.1(1)

YES

YES

YES

YES

9.4(2.146)

1.1(2)+

YES

9.4(2.145)

1.1(2)+

YES

9.4(2)

1.2(1)+

1.1(1),

YES

YES

YES

YES

9.4(1.225)

1.2(1)+

YES

9.4(1.200)

1.2(1)+

1.1(1)

YES

9.4(1.152)

1.1(2)+

YES

9.4(1)

1.2(1)+

1.1(1)

YES

YES

YES

YES

9.3(2.200)

1.2(1)+

1.1(1)

1.0(1)

YES

9.3(2)

1.2(1)+

1.1(1)

1.0(1)

YES (ASA 5506-X only)

YES

YES

YES

ASA 5506W-X Wireless Access Point Software Compatibility

The ASA 5506W-X includes a Cisco Aironet 702i wireless access point integrated into the ASA. The access point includes an autonomous Cisco IOS image, which enables individual device management. You can install the lightweightimage if you want to add the ASA 5506W-X to a Cisco Unified Wireless Network and use a wireless LAN controller. See the Converting Autonomous Access Points to Lightweight Mode chapter in the Cisco Wireless Control Configuration Guide for more information about using the lightweight image in unified mode.

The following table shows the supported software for the access point as well as the supported Cisco Wireless LAN Controller software if you convert to unified mode.

Table 11. ASA 5506W-X Wireless Access Point Software Compatibility

Built-in Access Point

Cisco IOS Release

Cisco Wireless LAN Controller Release

Aironet 702i

15.3(3)JBB+

8.1.102.0+

ASA and ASA FirePOWER Module Compatibility

Compatibility Table

The following table shows the ASA, ASDM, and ASA FirePOWER support.

Table 12. ASA and ASA FirePOWER Compatibility

ASA FirePOWER Version

ASDM Version (for local management)

ASA Version

ASA Model

ASA 5506-X Series

5508-X

5516-X

ASA 5512-X

5515-X

5525-X

5545-X

5555-X

ASA 5585-X (See below for SSP notes)

ISA 3000

6.4.0

ASDM 7.12(1)+

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(2), 9.5(3)

YES

YES

YES

YES

6.3.0

ASDM 7.10(1)+

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(2), 9.5(3)

YES

YES

YES

YES

6.2.3

ASDM 7.9(2)+

ASA 9.12(x) (No 5506-X, 5512-X)

ASA 9.10(x) (No 5506-X, 5512-X)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(2), 9.5(3) (No 5506-X)

YES

YES

YES

YES

YES

6.2.2

ASDM 7.8(2)+

ASA 9.12(x) (No 5506-X, 5512-X)

ASA 9.10(x) (No 5506-X, 5512-X)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(2), 9.5(3) (No 5506-X)

YES

YES

YES

YES

YES

6.2.0

ASDM 7.7(1)+

ASA 9.12(x) (No 5506-X, 5512-X)

ASA 9.10(x) (No 5506-X, 5512-X)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(2), 9.5(3) (No 5506-X)

YES

YES

YES

YES

YES

6.1.0

ASDM 7.6(2)+

ASA 9.12(x) (No 5506-X, 5512-X)

ASA 9.10(x) (No 5506-X, 5512-X)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(2), 9.5(3) (No 5506-X)

YES

YES

YES

YES

YES

6.0.1

ASDM 7.6(1)+ (no ASA 9.4(x) support)

ASA 9.6(x)

ASA 9.5(1.5), 9.5(2), 9.5(3)

ASA 9.4(x)

Due to CSCuv91730, we recommend that you upgrade to 9.4(2) and later.

YES

YES

YES

YES

YES

6.0.0

ASDM 7.5(1.112)+ (no ASA 9.4(x) support)

ASA 9.6(x)

ASA 9.5(1.5), 9.5(2), 9.5(3)

ASA 9.4(x)

Due to CSCuv91730, we recommend that you upgrade to 9.4(2) and later.

YES

YES

YES

YES

YES

5.4.1.7+

ASDM 7.5(1.112)+ (no ASA 9.4(x) support)

ASA 9.12(x) (No 5506-X, 5512-X)

ASA 9.10(x) (No 5506-X, 5512-X)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(2), 9.5(3)

ASA 9.4(x)

ASA 9.4(1.225) (ISA 3000 only)

ASA 9.3(2), 9.3(3) (no 5508-X or 5516-X)

Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later.

YES

YES

YES

YES

5.4.1

ASDM 7.3(3)+

ASA 9.12(x) (No 5506-X, 5512-X)

ASA 9.10(x) (No 5506-X, 5512-X)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(1.5), 9.5(2), 9.5(3)

ASA 9.4(x)

ASA 9.3(2), 9.3(3) (5506-X only)

Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later.

YES

YES

YES

5.4.0.2+

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(1.5), 9.5(2), 9.5(3)

ASA 9.4(x)

ASA 9.3(2), 9.3(3)

Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later.

YES

YES

YES

5.4.0.1

ASA 9.2(2.4), 9.2(3), 9.2(4)

Due to CSCuv91730, we recommend that you upgrade to 9.2(4.5) and later.

YES

YES

YES

5.3.1

ASA 9.2(2.4), 9.2(3), 9.2(4)

Due to CSCuv91730, we recommend that you upgrade to 9.2(4.5) and later.

YES

YES

YES

ASA 5585-X SSP Compatibility

Same level SSPs

ASA FirePOWER SSP -10, -20, -40, and -60

Requirements: Install in slot 1, with matching-level ASA SSP in slot 0

Mixed level SSPs

Support for the following combinations starts with version 5.4.0.1.

  • ASA SSP-10/ASA FirePOWER SSP-40

  • ASA SSP-20/ASA FirePOWER SSP-60

  • ASA SSP-40/ASA FirePOWER SSP-60

Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1


Note

For the SSP40/60 combination, you might see an error message that this combination is not supported. You can ignore the message.

Firepower 2100 Network Module Compatibility


Note

If a network module is listed for multiple Firepower models, and the part number only differs in the model number (FPRXK-NM-module), then that module is compatible with the other Firepower models. For example, the FPR9K-NM-6X10SR-F module is compatible on the Firepower 2100 (FPR2K-NM-6X10SR-F) and Firepower 4100 (FPR4K-NM-6X10SR-F). See the FXOS compatibility guide for information about Firepower 4100 and 9300 network modules.

Table 13. Firepower 2100 Network Module Compatibility

Modules Supported

Model

ASA OS

  • Firepower 6-port 1G SX FTW Network Module single-wide (FPR2K-NM-6X1SX-F)

  • Firepower 6-port 10G SR FTW Network Module single-wide (FPR2K-NM-6X10SR-F)

  • Firepower 6-port 10G LR FTW Network Module single-wide (FPR2K-NM-6X10LR-F)

Firepower 2130

Firepower 2140

ASA 9.12(x)

ASA 9.10(x)

Note 

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

Firepower 8-port 1G Network Module single-wide (FPR2K-NM-8X1G)

Firepower 2130

Firepower 2140

ASA 9.12(x)

ASA 9.10(x)

Firepower 8-port 10G Network Module single-wide (FPR2K-NM-8X10G)

Firepower 2130

Firepower 2140

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(2), 9.8(3)

ASA 5585-X SSP and Network Module Compatibility

Table 14. ASA 5585-X SSP and Network Compatibility

Modules Supported

ASA OS

ASA SSP-20 and -60

Requirements: Single ASA SSP in slot 0

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(x)

ASA 9.2(x)

ASA 9.1(x)

ASA 9.0(x)

ASA 8.4(x))

ASA 8.2(3), 8.2(4), 8.2(5)

ASA SSP-10 and -40

Requirements: Single ASA SSP in slot 0

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(x)

ASA 9.2(x)

ASA 9.1(x)

ASA 9.0(x)

ASA 8.4(x))

ASA 8.2(4), 8.2(5)

Dual ASA SSPs:

  • Dual ASA SSP-40s

  • Dual ASA SSP-60s

Requirements: Matching-level for both SSPs

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(x)

ASA 9.2(x)

ASA 9.1(x)

ASA 9.0(x)

ASA 8.4(2), 8.4(3), 8.4(4), 8.4(5), 8.4(6), 8.4(7)

Dual ASA SSPs:

  • Dual ASA SSP-10s

  • Dual ASA SSP-20s

Requirements: Matching-level for both SSPs

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(x)

ASA 9.2(x)

ASA 9.1(x)

ASA 9.0(x)

  • ASA 4-port 10G Network Module

  • ASA 8-port 10G Network Module

  • ASA 20-port 1G Network Module

Requirements: Install one or two network modules in slot 1, with ASA SSP in slot 0

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(x)

ASA 9.2(x)

ASA 9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7)

ASA 8.4(4.1), 8.4(5), 8.4(6), 8.4(7)

ASA and Firepower Threat Defense Clustering External Hardware Support

Clustering will work with both Cisco and non-Cisco switches from other major switching vendors with no known interoperability issues if they comply with the following requirements and recommendations. For switches that have been verified to work with clustering, see the verified switches table below.

Switch Requirements

  • All third party switches must be compliant to the IEEE standard (802.3ad) Link Aggregation Control Protocol.

  • EtherChannel bundling must be completed within 45 seconds when connected to Firepower devices and 33 seconds when connected to ASA devices.

  • On the cluster control link, the switch must provide fully unimpeded unicast and broadcast connectivity at Layer 2 between all cluster members.

  • On the cluster control link, the switch must not impose any limitations on IP addressing or the packet format above Layer 2 headers.

  • On the cluster control link, the switch interfaces must support jumbo frames and be configurable for an MTU above 1600.

Switch Recommendations

  • The switch should provide uniform traffic distribution over the EtherChannel's individual links.

  • The switch should have an EtherChannel load-balancing algorithm that provides traffic symmetry.

  • The EtherChannel load balance hash algorithm should be configurable using the 5-tuple, 4-tuple, or 2-tuple to calculate the hash.


Note

Cisco does not support the resolution of bugs found in non-verified switches.

Note

For the Firepower 9300 cluster, intra-chassis clustering can operate with any switch because Firepower 9300-to-switch connections use standard interface types.


Note

Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using ISSUs with clustering.

Verified Switches

The following table lists verified Cisco external hardware and software to interoperate with clustering.

Table 15. Verified Switches

External Hardware

External Software

Cisco Firepower 1000, 2100, 4100, and 9300

Cisco ASA Series

You can connect a cluster directly to one or more Firepower or ASA chassis in standalone or failover mode, running either ASA or Firepower Threat Defense. For example, you might connect an Active/Standby ASA failover pair in multiple context mode to a Firepower Threat Defense cluster with inline sets (NGIPS mode).

Any

Cisco ASR 9000 with RSP 440

Cisco IOS XR 5.3(1)+

Cisco Nexus 3000

Cisco Nexus 6000

Cisco Nexus 7000

Cisco Nexus 9500

Cisco Nexus 9300

Note 

For the Nexus 7000, you can use F1-series line cards for the cluster control link, but we do not recommend using them for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing, which can cause performance degradation for data throughput on the cluster.

Note 

For the Nexus 3000, we do not recommend using this switch for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing, which can cause performance degradation for data throughput on the cluster. You can use the switch for the cluster control link or for interfaces in Individual Interface mode.

Cisco NX-OS 7.0(2)N1(1)+

APIC 1.0(1)+

Catalyst 3750-X

Catalyst 6500 with Supervisor 2T

Catalyst 6800 with Supervisor 2T

Cisco IOS 15.1(2)SY5+

Catalyst 6500 with Supervisor 32, 720, and 720-10GE

Cisco IOS 12.2(33)SXI7, SXI8, and SXI9+

Catalyst 4500 with Supervisor 8-E

Cisco IOS XE 3.7(1E)+

Catalyst 3850

Catalyst 4500-X

Note 

We do not recommend using this switch for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing, which can cause performance degradation for data throughput on the cluster. You can use the switch for the cluster control link or for interfaces in Individual Interface mode.

Cisco IOS 3.7(3)+

ASA and Cisco Application Policy Infrastructure Controller (APIC) Compatibility

The platforms supported include:

  • ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X (8.6(x) and newer)

  • ASA 5585-X (8.4(x) and newer)

  • ASAv (9.2(x) and newer)

  • Firepower 21xx, 41xx, and 9300 (9.8(x) and newer)

The following table lists the supported ASA device packages, ASA versions, and APIC versions.

Table 16. ASA Device Package, ASA, and APIC Compatibility

ASA Device Package Version

Integration Model

APIC Version

ASA Version

1.3(12.3)

Cloud Orchestrator

Policy Orchestration

Fabric Insertion

3.1(1*)—4.1(1*)

8.4(x)—9.12(x)

1.2(12.2)

Policy Orchestration

Fabric Insertion

3.0(2*) and older

8.4(x)—9.12(x)

1.3(11.22)

Cloud Orchestrator

Policy Orchestration

Fabric Insertion

3.1(1*)—4.0(1*)

8.4(x)—9.10(x)

1.2(11.16)

Policy Orchestration

Fabric Insertion

3.0(2*) and older

8.4(x)—9.10(1)

1.3(10.24)

Cloud Orchestrator

Policy Orchestration

Fabric Insertion

3.1(1*)

8.4(x)—9.8(x)

1.2(10.26)

Policy Orchestration

Fabric Insertion

3.0(2*)

8.4(x)—9.8(x)

1.2(9.18)

Policy Orchestration

Fabric Insertion

3.0(1*)

8.4(x)—9.8(x)

1.2(8.9)

Policy Orchestration

Fabric Insertion

2.2(2*)

8.4(x)—9.7(x)

1.2(7.x)

Policy Orchestration

Fabric Insertion

2.1(1*)

8.4(x)—9.6(2)

1.2(6.15)

Policy Orchestration

2.0(1*)

8.4(x)—9.5(2)

1.2(5.21)

Policy Orchestration

1.3(1*)

8.4(x)—9.5(1)

1.2(5.5)

Policy Orchestration

1.2(2*)

8.4(x)—9.4(x)

Note

We do not recommend using any ASA device package older than 2016.

Note

Policy Orchestration = Service Policy Mode = Fully Managed Mode.

Note

Fabric Insertion = Customized ASA device package for L2-3 automation only.

ASA 5505 Memory

Shipping Memory

The shipping DRAM increased after February 2010; the DRAM requirements for 8.3 and higher match the newer default shipping sizes. The newer default shipping DRAM is the current maximum DRAM you can install in your unit.

See the following shipping memory for the ASA 5505:

  • Internal Flash Memory (Default Shipping)—128 MB

  • Total DRAM (Default Shipping), Before Feb. 2010—256 MB

  • Total DRAM (Default Shipping), After Feb. 2010—512 MB

Memory Requirments

With Version 8.3 through 9.1 only the Unlimited Hosts license and the Security Plus license with failover enabled require 512 MB DRAM; other licenses can use 256 MB. For Version 9.2 and later, all ASA 5505 licenses require 512 MB.

Memory Kits

See the following DRAM memory kits available:

  • 512 MB—ASA5505-MEM-512=

Viewing Memory

You can check the size of internal flash and the amount of free flash memory on the ASA by doing the following:

  • ASDM—Choose Tools > File Management. The amounts of total and available flash memory appear on the bottom left in the pane.

  • CLI—In Privileged EXEC mode, enter the dir command. The amounts of total and available flash memory appear on the bottom of the output.

Example:


ciscoasa# dir
Directory of disk0:/

43     -rwx  14358528    08:46:02 Feb 19 2007  cdisk.bin
136    -rwx  12456368    10:25:08 Feb 20 2007  asdmfile
58     -rwx  6342320     08:44:54 Feb 19 2007  asdm-600110.bin
61     -rwx  416354      11:50:58 Feb 07 2007  sslclient-win-1.1.3.173.pkg
62     -rwx  23689       08:48:04 Jan 30 2007  asa1_backup.cfg
66     -rwx  425         11:45:52 Dec 05 2006  anyconnect
70     -rwx  774         05:57:48 Nov 22 2006  cvcprofile.xml
71     -rwx  338         15:48:40 Nov 29 2006  tmpAsdmCustomization430406526
72     -rwx  32          09:35:40 Dec 08 2006  LOCAL-CA-SERVER.ser
73     -rwx  2205678     07:19:22 Jan 05 2007  vpn-win32-Release-2.0.0156-k9.pkg
74     -rwx  3380111     11:39:36 Feb 12 2007  securedesktop_asa_3_2_0_56.pkg

62881792 bytes total (3854336 bytes free)