We are announcing the deprecation of the cisco.asa Ansible Collection as of December 2024, which will reach its official end-of-life in December 2026.
Impact:
No new features or enhancements will be added to the cisco.asa collection.
Limited Maintenance:
Only critical bug fixes and security vulnerabilities will be addressed. No guarantees of compatibility with ansible-core versions >2.17 will be provided.
Community Maintenance:
Post-deprecation, the maintenance of cisco.asa collection will be transferred to the community for best-effort maintenance.
Why?
Cisco has deprecated ASA (Adaptive Security Appliance) in favor of its next-generation Firepower solutions. Firepower delivers enhanced capabilities, integrating advanced threat detection and firewall functionalities.
For more details, please refer to the official Cisco ASA deprecation announcement.
I have found the various discussions about the deprecation notice, but I believe there may be a misunderstanding in the advisory that Cisco published regarding EoS/EoL dates given.
The advisory at Cisco EoL Advisory for 9.8(x) is notifying customers that Cisco plans to remove support and software maintenance on Cisco ASA code version 9.8, not the Cisco ASA itself.
Cisco ASA is now called Cisco Secure Firewall ASA and is still supported from my understanding. ASA version 9.20 and 9.22 are released with the recommended release sitting at 9.20 at this time.
If this decision is made to move this to community support so that engineering time can be spent on other platforms then I understand. I wanted to be sure to note that the advisory the decision was based upon is for the software deprecation, not the platform as a whole. I operate a sizeable amount of ASA devices and will need to plan accordingly going forward regarding forward compatibility.
Cross-posting from github issue 508 to reach the forum audience.
Is it possible to reverse this decision? Cisco is still developing, shipping, and supporting Cisco ASA software in all their recent Firewall hardware as well as Virtual cloud-based ASA software. Example of continued support: Cisco Secure Firewall 4200 Series is a very recent hardware firewall platform supporting ASA software including version 9.22.x first released in September 2024.
The ASA software is still used by Cisco customers including myself in part because of the text-based configuration files and ease of automation with the Ansible Cisco ASA collection.
Has the collection been abandoned by its former maintainers? This Ansible cisco.asa Deprecation announcement references the Cisco EOL announcement for ASA 9.8.x software release train only. Cisco announces EOL for Old software release trains to help customers plan to migrate to newer software such as the latest ASA 9.22.x mentioned in my comments above. Cisco also reserves the latest ASA software release trains for their latest hardware to push customers to migrate off of older hardware - see the release notes for 9.22.x linked above which shows which hardware platforms are not compatible with 9.22.x.
Hi @mistertom thanks for posting! I see it’s the first time you are contributing in the forum, so welcome!
For someone arriving late at this conversation (or refreshing it after a very long time), it is not clear to me which decision you are referring to here - the original post mentions decisions made by Cisco. If the statements are incorrect, they seem to be from the comment by @dheckman-lus , then I consider the matter clarified.
IANAL but I believe Cisco is free to relinquish the maintenance of that collection as they see fit. Is that decision you are talking about?
My current deployment is RHEL/CentOS compatible 9.x which has ansible-core 2.14.x. Being <= 2.17.x I think the deprecation plans may not impact my deployment. This software development moves so fast. I initially was concerned I needed immediate plans to move away from dependencies on the collection, but it looks like I may have some years before RHEL/CentOS are shipping with ansible-core greater than 2.17.
Yes, the concerning thing here is the link to Cisco ASA 9.8 software end of patches announcement for an old ASA software release-train. Cisco Secure Firewall ASA software is still actively supported as you mentioned with latest 9.22 release being first available in September 2024 (no end of life announced).
Hi @dheckman-lus and @mistertom thanks for raising the concerns. I have to add some extra context to the decision and hope to clarify all questions around this deprecation notice.
Then Cisco acquired Sourcefire by 2013, this lead to the development and rollout of the Firepower appliance, which gradually became the heir and recommended option for ASA. Around 2017 I have seen myself as part of Cisco Advanced Services (CX now), how the default recommendation was to use Firepower due to the advanced capabilities.
The challenge with ASA OS is that overall the Cisco ASA and Cisco Firepower have been converging for years already, and the Firepower Series became the flagship for Cisco Network Security solutions. How this reflects in the support, is that customers now have a combination of ASA and FX OS. This situation opens different challenges to keep the support of the collection itself:
First, contributions only to ASA collection are scarce as the majority of users transition to use Firepower with FXOS. There were 2-3 pull requests per year during the last 3 years.
Second, users require a combination of FXOS support with ASA, creating the need to maintain both in order to cover the majority of the capabilities in production.
And finally, the convergence of multiple technologies makes it really complex to align with Cisco’s roadmap, and have an end to end solution that covers the next-generation security solutions, that are in production.
The end goal will be to get formal support from the Cisco Business Units covering the next-generation security solutions, if Cisco maintainers are, or will be interested to formally keep enterprise support for the asa collection.
Another clarification i want to emphasize is that the deprecation does not mean the asa collection will go away, but we are going to provide a best-effort support as it transitions to become a collection maintained only by the community.
Hello,
I am an engineer in a big finance company that concerned about security and service continuity. We have purchased many FirePower appliances along with controllers. We tried hard to implement modern Cisco’s approach to our infrastructure, security policies, automation practice, etc. Unfortunately, finally we had to fall back to mature and easily manageable ASA mode for appliances for many reasons.
So, from my point of view, asa module should be supported for years. Cisco continues to update ASA software at good rate.
