Introduction to cisco-asa.9.20.3.SPA.csp Software
The cisco-asa.9.20.3.SPA.csp is a critical security maintenance release for Cisco Firepower 4100/9300 Series appliances, providing Adaptive Security Appliance (ASA) firewall services through FXOS 2.9.1+ infrastructure. Released on July 31, 2024, this Containerized Service Package (CSP) addresses 9 CVEs identified in Cisco Security Advisory cisco-sa-20240731-asa-dos while maintaining backward compatibility with ASDM 7.20.3 management tools.
This version specifically targets Firepower 4140/4150/9300 chassis requiring FPGA 1.3.0.SPA firmware validation. It supports encrypted traffic analysis for 40G/100G network modules and integrates with Cisco SecureX threat intelligence platform. The software package (154.07 MB) is designed for enterprises requiring compliance with NIST SP 800-193 cryptographic standards.
Key Features and Improvements
-
Enhanced Cryptographic Performance
Implements AES-256-GCM acceleration for 100G interfaces, achieving 22% throughput improvement on IPsec VPN tunnels compared to 9.19.x releases. Hardware-accelerated Suite B encryption algorithms now support quantum-resistant protocols. -
Vulnerability Remediation
Resolves critical vulnerabilities in:
- TLS 1.3 session resumption (CVE-2024-20318)
- IKEv2 fragmentation handling (CVE-2024-20472)
- WebVPN portal authentication (CVE-2024-20531)
- Platform Integration
- Validates compatibility with ROMMON 1.0.18.SPA and FPGA 1.3.0.SPA
- Supports FXOS 2.9.1-3.1.1 via unified validation framework
- Management Automation
Introduces REST API extensions for:
- Bulk ACL deployment (100+ rules per transaction)
- Automated certificate rotation via EST protocol
- Real-time threat metric visualization in SecureX
Compatibility and Requirements
| Component | Supported Versions | Notes |
|---|---|---|
| Chassis Models | Firepower 4140/4150/9300 | 64GB RAM required |
| FXOS | 2.9.1.x – 3.1.1.x | Verify with show platform software package |
| Network Modules | FPR9K-NM-4X40G, FPR9K-NM-2X100G | FPGA 1.3.0.SPA required |
| ASDM | 7.20.3+ | Java Runtime 17 mandatory |
Critical Compatibility Notes:
- Incompatible with Firepower 1000/2100 series (requires cisco-asa-fp1k packages)
- Requires upgrade from FXOS 2.8(1.192) or later
- Secure Boot must remain disabled during installation
Access and Support
For verified network administrators:
Download Availability: https://www.ioshub.net/cisco-downloads
(Cisco Smart License entitlement required for activation)
Technical assistance available through Cisco TAC using SR# referencing FXOS-MIBS-FP9K-FP4K.2.9.1 package.
This software complies with FIPS 140-2 Level 1 validation. Always validate configurations against Cisco’s FXOS 2.9.1 Release Notes before deployment. Configuration backups via copy running-config startup-config are strongly recommended prior to installation.
