Downgrade the ASA

In many cases, you can downgrade your ASA software and restore a backup configuration from the previous software version. The method of downgrading depends on your ASA platform.

Guidelines and Limitations for Downgrading

See the following guidelines before downgrading:

  • There is no official Zero Downtime Downgrade support for clustering—However, in some cases, Zero Downtime Downgrading will work. See the following known issues for downgrading; note that there may be other issues that require you to reload your cluster units, thus causing downtime.

    • Downgrade to a pre-9.9(1) release with clustering—9.9(1) and later includes an improvement in the backup distribution. If you have 3 or more units in the cluster, you must perform the following steps:

      1. Remove all secondary units from the cluster (so the cluster consists only of the primary unit).

      2. Downgrade 1 secondary unit, and rejoin it to the cluster.

      3. Disable clustering on the primary unit; downgrade it, and rejoin the cluster.

      4. Downgrade the remaining secondary units, and join them back to the cluster, one at a time.

    • Downgrade to a pre-9.9(1) release when you enable cluster site redundancy—You should disable site redundancy if you want to downgrade (or if you want to add a pre-9.9(1) unit to a cluster). Otherwise, you will see side effects, for example, dummy forwarding flows on the unit running the old version.

    • Downgrade from 9.8(1) with clustering and crypto-map—There is no Zero Downtime Downgrade support when downgrading from 9.8(1) when you have a crypto-map configured. You should clear the crypto-map configuration before downgrading, and then re-apply the configuration after the downgrade.

    • Downgrade from 9.8(1) with clustering unit health check set to .3 to .7 seconds—If you downgrade your ASA software after setting the hold time to .3 - .7 (health-check holdtime ), this setting will revert to the default of 3 seconds because the new setting is unsupported.

    • Downgrade from 9.5(2) or later to 9.5(1) or earlier with clustering (CSCuv82933)—There is no Zero Downtime Downgrade support when downgrading from 9.5(2). You must reload all units at roughly the same time so that a new cluster is formed when the units come back online. If you wait to reload the units sequentially, then they will be unable to form a cluster.

    • Downgrade from 9.2(1) or later to 9.1 or earlier with clustering—Zero Downtime Downgrade is not supported.

  • Downgrade issue from 9.22 or later—If you disable the USB port using the usb-port disable command, but then downgrade to an earlier release, the port will remain disabled, and you cannot re-enable it without erasing the NVRAM (the FXOS local-mgmt erase secure all command).

  • Downgrade issue from 9.18 or later—There is a behavior change in 9.18 where the access-group command will be listed before its access-list commands. If you downgrade, the access-group command will be rejected because it has not yet loaded the access-list commands. This outcome occurs even if you had previously enabled the forward-reference enable command, because that command is now removed. Before you downgrade, be sure to copy all access-group commands manually, and then after downgrading, re-enter them.

  • Downgrade issue for the Firepower 2100 in Platform mode from 9.13/9.14 to 9.12 or earlier—For a Firepower 2100 with a fresh installation of 9.13 or 9.14 that you converted to Platform mode: If you downgrade to 9.12 or earlier, you will not be able to configure new interfaces or edit existing interfaces in FXOS (note that 9.12 and earlier only supports Platform mode). You either need to restore your version to 9.13 or later, or you need to clear your configuration using the FXOS erase configuration command. This problem does not occur if you originally upgraded to 9.13 or 9.14 from an earlier release; only fresh installations are affected, such as a new device or a re-imaged device. (CSCvr19755)

  • Downgrade from 9.10(1) for smart licensing—Due to changes in the smart agent, if you downgrade, you must re-register your device to the Cisco Smart Software Manager. The new smart agent uses an encrypted file, so you need to re-register to use an unencrypted file required by the old smart agent.

  • Downgrade to 9.5 and earlier with passwords using PBKDF2 (Password-Based Key Derivation Function 2) hash—Versions before 9.6 do not support PBKDF2 hashing. In 9.6(1), enable and username passwords longer than 32 characters use PBKDF2 hashing. In 9.7(1), new passwords of all lengths use PBKDF2 hashing (existing passwords continue to use MD5 hashing). If you downgrade, the enable password reverts to the default (which is blank). Usernames will not parse correctly, and the username commands will be removed. You must re-create your local users.

  • Downgrade from Version 9.5(2.200) for the ASA Virtual—The ASA virtual does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force command (for ASDM: see the Configuration > Device Management > Licensing > Smart Licensing page, and use the Force registration option); obtain the ID token from the Smart Software Manager.

  • VPN tunnels are replicated to the standby unit even if the standby unit is running a version of software that does not support the Ciphersuite that the original tunnel negotiated—This scenario occurs when downgrading. In this case, disconnect your VPN connection and reconnect.

Incompatible Configuration Removed After Downgrading

When you downgrade to an old version, commands that were introduced in later versions will be removed from the configuration. There is no automated way to check the configuration against the target version before you downgrade. You can view when new commands were added in ASA new features by release.

You can view rejected commands after you downgrade using the show startup-config errors command. If you can perform a downgrade on a lab device, you can preview the effects using this command before you perform the downgrade on a production device.

In some cases, the ASA migrates commands to new forms automatically when you upgrade, so depending on your version, even if you did not manually configure new commands, the downgrade could be affected by configuration migrations. We recommend that you have a backup of your old configuration that you can use when you downgrade. In the case of upgrading to 8.3, a backup is automatically created (<old_version>_startup_cfg.sav). Other migrations do not create back-ups. See Version-Specific Guidelines and Migrations for more information about automatic command migrations that could affect downgrading.

See also known downgrade issues in Guidelines and Limitations for Downgrading.

For example, an ASA running version 9.8(2) includes the following commands:


access-list acl1 extended permit sctp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0
username test1 password $sha512$1234$abcdefghijklmnopqrstuvwxyz privilege 15
snmp-server user snmpuser1 snmpgroup1 v3 engineID abcdefghijklmnopqrstuvwxyz encrypted auth md5 12:ab:34 priv aes 128 12:ab:34

When you downgrade to 9.0(4), you will see the following errors on startup:


access-list acl1 extended permit sctp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0
                                 ^
ERROR: % Invalid input detected at '^' marker.

username test1 password $sha512$1234$abcdefghijklmnopqrstuvwxyz pbkdf2 privilege 15
                                                                ^
ERROR: % Invalid input detected at '^' marker.

snmp-server user snmpuser1 snmpgroup1 v3 engineID abcdefghijklmnopqrstuvwxyz encrypted auth md5 12:ab:34 priv aes 128 12:ab:34
                                         ^
ERROR: % Invalid input detected at '^' marker.

In this example, support for sctp in the access-list extended command was added in version 9.5(2), support for pbkdf2 in the username command was added in version 9.6(1), and support for engineID in the snmp-server user command was added in version 9.5(3).

Downgrade the Firepower 1000, 2100 in Appliance Mode, Secure Firewall 1200/3100/4200

You can downgrade the ASA software version by setting the ASA version to the old version, restoring the backup configuration to the startup configuration, and then reloading.

Before you begin

This procedure requires a backup configuration of the ASA before you upgraded, so you can restore the old configuration. If you do not restore the old configuration, you may have incompatible commands representing new or changed features. Any new commands will be rejected when you load the old software version.

Procedure

Step 1

Load the old ASA software version using the upgrade procedure in Upgrade the Firepower 1000, 2100 in Appliance Mode, and Secure Firewall 3100/4200 for standalone, failover, or clustering deployments. In this case, specify the old ASA version instead of a new version. Important: Do not reload the ASA yet.

Step 2

At the ASA CLI, copy the backup ASA configuration to the startup configuration. For failover, perform this step on the active unit. This step replicates the command to the standby unit.

copy old_config_url startup-config

It's important that you do not save the running configuration to the startup configuration using write memory ; this command will overwrite your backup configuration.

Example:


ciscoasa# copy disk0:/9.13.1_cfg.sav startup-config

Step 3

Reload the ASA.

ASA CLI

reload

ASDM

Choose Tools > System Reload.

Downgrade the Firepower 2100 in Platform Mode

You can downgrade the ASA software version by restoring the backup configuration to the startup configuration, setting the ASA version to the old version, and then reloading.

Before you begin

This procedure requires a backup configuration of the ASA before you upgraded, so you can restore the old configuration. If you do not restore the old configuration, you may have incompatible commands representing new or changed features. Any new commands will be rejected when you load the old software version.

Procedure

Step 1

At the ASA CLI, copy the backup ASA configuration to the startup configuration. For failover, perform this step on the active unit. This step replicates the command to the standby unit.

copy old_config_url startup-config

It's important that you do not save the running configuration to the startup configuration using write memory ; this command will overwrite your backup configuration.

Example:


ciscoasa# copy disk0:/9.12.4_cfg.sav startup-config

Step 2

In FXOS, use the chassis manager or FXOS CLI to use the old ASA software version using the upgrade procedure in Upgrade the Firepower 2100 in Platform Mode for standalone, failover, or clustering deployments. In this case, specify the old ASA version instead of a new version.

Downgrade the Firepower 4100/9300

You can downgrade the ASA software version by restoring the backup configuration to the startup configuration, setting the ASA version to the old version, and then reloading.

Before you begin

  • This procedure requires a backup configuration of the ASA before you upgraded, so you can restore the old configuration. If you do not restore the old configuration, you may have incompatible commands representing new or changed features. Any new commands will be rejected when you load the old software version.

  • Make sure the old ASA version is compatibile with the current FXOS version. If not, downgrade FXOS as the first step before you restore the old ASA configuration. Just make sure the downgraded FXOS is also compatible with the current ASA version (before you downgrade it). If you cannot achieve compatibility, we suggest you do not perform a downgrade.

Procedure

Step 1

At the ASA CLI, copy the backup ASA configuration to the startup configuration. For failover or clustering, perform this step on the active/control unit. This step replicates the command to the standby/data units.

copy old_config_url startup-config

It's important that you do not save the running configuration to the startup configuration using write memory ; this command will overwrite your backup configuration.

Example:


ciscoasa# copy disk0:/9.8.4_cfg.sav startup-config

Step 2

In FXOS, use the chassis manager or FXOS CLI to use the old ASA software version using the upgrade procedure in Upgrade the Firepower 4100/9300 for standalone, failover, or clustering deployments. In this case, specify the old ASA version instead of a new version.

Step 3

If you are also downgrading FXOS, use the chassis manager or FXOS CLI to set the old FXOS software version to be the current version using the upgrade procedure in Upgrade the Firepower 4100/9300 for standalone, failover, or clustering deployments.

Downgrade the ISA 3000

The downgrade feature provides a shortcut for completing the following functions on ISA 3000 models:

  • Clearing the boot image configuration (clear configure boot ).

  • Setting the boot image to be the old image (boot system ).

  • (Optional) Entering a new activation key (activation-key ).

  • Saving the running configuration to startup (write memory ). This sets the BOOT environment variable to the old image, so when you reload, the old image is loaded.

  • Copying the old configuration backup to the startup configuration (copy old_config_url startup-config ).

  • Reloading (reload ).

Before you begin

  • This procedure requires a backup configuration of the ASA before you upgraded, so you can restore the old configuration.

Procedure

Step 1

ASA CLI: Downgrade the software and restore the old configuration.

downgrade [/noconfirm] old_image_url old_config_url [activation-key old_key]

Example:



ciscoasa(config)# downgrade /noconfirm disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.sav

The /noconfirm option downgrades without prompting. The image_url is the path to the old image on disk0, disk1, tftp, ftp, or smb. The old_config_url is the path to the saved, pre-migration configuration. If you need to revert to a pre-8.3 activation key, then you can enter the old activation key.

Step 2

ASDM: Choose Tools > Downgrade Software .

The Downgrade Software dialog box appears.

Step 3

For the ASA Image, click Select Image File.

The Browse File Locations dialog box appears.

Step 4

Click one of the following radio buttons:

  • Remote Server—Choose ftp, smb, or http from the drop-down list, and type the path to the old image file.

  • Flash File System—Click Browse Flash to choose the old image file on the local flash file system.

Step 5

For the Configuration, click Browse Flash to choose the pre-migration configuration file.

Step 6

(Optional) In the Activation Key field, enter the old activation key if you need to revert to a pre-8.3 activation key.

Step 7

Click Downgrade.