Next stable asa version after 8.2(3)

phoeneousphoeneous Go ping yourself...Posts: 2,333Member ■■■■■■■□□□
I need to update my asa from 8.2(3) to whatever the next stable version is. I know some people where having issues with the 8.3 releases. Is 8.4 looking good for everyone?

Comments

  • KelkinKelkin Posts: 261Member ■■■□□□□□□□
    8.2(3) to 8.3+ is a big step.. Especially with how to do NATs and such.. Just curious why you need to upgrade.. you run into a bug or something?
  • ecbanksecbanks Posts: 22Member ■□□□□□□□□□
    phoeneous wrote: »
    I need to update my asa from 8.2(3) to whatever the next stable version is. I know some people where having issues with the 8.3 releases. Is 8.4 looking good for everyone?

    I am on 8.4(3), which is somewhat better than 8.4(2). 8.4(2) gave us issue with crashes related to IPSEC traffic. That's gone away with 8.4(3). I'm typically doing IPSEC, DMZ, NAT, 802.1q, TACACS, SNMPv3, and global access lists with no issues. Some HA pairs, some standalones. Not doing much fancy application layer inspection besides the defaults required to make things like FTP work in the face of NAT. Not doing QoS, VoIP, or IDS/IPS with 8.4(3). These boxes, for the most part, have been just running...maybe a dozen or so out there, ranging from 5505s to 5520s? Not a huge install base, but enough to feel reasonably good about 8.4(3).

    Note that I have one open case with TAC where an 8.4(3) firewall caused an ARP poisoning issue - he ARPed for a MAC that wasn't his, causing other devices on that VLAN to send traffic to him when it should have been sent elsewhere. Case is unresolved, feels like a bug at this point, as it's we know it's not the config that caused the issue. I've worked around the issue with static ARP entries and disabling proxy ARP on the impacted interface (since I didn't need it anyway). And I've only had it happen on one firewall - it's not a pervasive problem.

    Ditto to what Kelkin said about the change from 8.2 to 8.3 or 8.4. The NAT paradigm has shifted significantly. The upgrade process will take a shot at converting your 8.2 NATs into the new way of doing things, but if you've got a big NAT table, I'd plan this upgrade very, very well...testing with an offline firewall if at all possible. It's a big deal.
    /Ethan
  • phoeneousphoeneous Go ping yourself... Posts: 2,333Member ■■■■■■■□□□
    Kelkin wrote: »
    8.2(3) to 8.3+ is a big step.. Especially with how to do NATs and such.. Just curious why you need to upgrade.. you run into a bug or something?

    I'm having issues configuring anyconnect for voip and I thought it was because of my version. Turns out, tac sent me config example for a router and not asa which is why the commands didnt match up. Specifically crypto ca vs crypto pki.
Sign In or Register to comment.