SystemPrivileged EXEC

show version

Displays the system software version, hardware configuration, license information, and uptime of the Cisco ASA firewall.

Overview

The 'show version' command is a fundamental diagnostic tool on Cisco ASA firewalls that provides a comprehensive snapshot of the system's software and hardware state. It displays the Adaptive Security Appliance (ASA) software version, including the exact release and build number, which is essential for verifying compatibility with features, patches, and upgrade paths. The command also reveals the ASDM (Adaptive Security Device Manager) version, which is the graphical management interface. Understanding the software version is critical when troubleshooting issues that may be version-specific or when planning maintenance windows. The output includes the system uptime, which indicates how long the firewall has been running since the last reload or power cycle. A low uptime could signal an unexpected reboot due to a crash, power failure, or administrative reload. The hardware section details the platform model (e.g., ASA 5516), total RAM, CPU specifications, and flash storage capacity. This information is vital for capacity planning and ensuring the device meets the requirements for features like VPN peers or security contexts. The interface listing provides MAC addresses and interrupt assignments, which are useful for inventory and troubleshooting connectivity issues. The licensed features section is arguably the most important for operational management. It lists each licensed capability (e.g., maximum VLANs, failover, VPN peers) along with the license type: perpetual (permanent), evaluation (time-limited), or subscription. Expiration dates are shown for non-perpetual licenses. A healthy system will have all required features enabled with sufficient license capacity. Problematic indicators include 'Expired' licenses, 'Disabled' features that are needed, or evaluation licenses nearing expiration. The serial number and activation key are used for Cisco support and license registration. The configuration register value (typically 0x1) indicates the boot behavior. Finally, the timestamp of the last configuration change helps track when the config was last modified, aiding in change management. In troubleshooting workflows, 'show version' is often the first command executed after gaining access to the device to establish a baseline of the system state before proceeding with more specific diagnostics.

Syntax·Privileged EXEC
show version

When to Use This Command

  • Verify the ASA software version and feature set before upgrading or applying a configuration.
  • Check the system uptime and last reload reason to diagnose unexpected reboots.
  • Confirm the hardware model and available memory for capacity planning.
  • Validate license activation and remaining duration for feature licenses.

Parameters

ParameterSyntaxDescription
No parametersshow versionThe command takes no parameters. It is executed in Privileged EXEC mode and displays all system version and license information.

Command Examples

Basic show version output

show version
Cisco Adaptive Security Appliance Software Version 9.12(4)30
Device Manager Version 7.13(1)

Compiled on Mon 10-Feb-20 15:28 by builders
System image file is "disk0:/asa912-4-smp-k8.bin"
Config file at boot was "startup-config"

asa-firewall up 2 years 143 days

Hardware:   ASA5516, 8192 MB RAM, CPU Core2 2394 MHz,
Internal ATA Compact Flash, 8192MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
    Boot microcode   : CNPx-MC-BOOT-ECAT
    SSL/IKE microcode: CNPx-MC-SSL
    IPSec microcode  : CNPx-MC-IPSEC

0: Ext: GigabitEthernet0/0 : address is 5000.0001.0001, irq 10
1: Ext: GigabitEthernet0/1 : address is 5000.0001.0002, irq 11
2: Ext: GigabitEthernet0/2 : address is 5000.0001.0003, irq 12
3: Ext: GigabitEthernet0/3 : address is 5000.0001.0004, irq 13
4: Ext: Management0/0 : address is 5000.0001.0005, irq 14

Licensed features for this platform:
Maximum Physical Interfaces       : 8      perpetual
Maximum VLANs                     : 100    perpetual
Inside Hosts                      : 50     perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled perpetual
Encryption-3DES-AES               : Enabled perpetual
Security Contexts                 : 2      perpetual
Carrier                           : Disabled perpetual
AnyConnect Premium Peers          : 2      perpetual
AnyConnect Essentials             : Disabled perpetual
Other VPN Peers                   : 100    perpetual
Total VPN Peers                   : 100    perpetual
Shared License                    : Disabled perpetual
AnyConnect for Mobile             : Disabled perpetual
AnyConnect for Cisco VPN Phone    : Disabled perpetual
Advanced Endpoint Assessment      : Disabled perpetual
UC Phone Proxy Sessions           : 2      perpetual
Total UC Proxy Sessions           : 2      perpetual
Botnet Traffic Filter             : Disabled perpetual
Intercompany Media Engine         : Disabled perpetual
IPS Module                        : Disabled perpetual
Cluster                           : Disabled perpetual

This platform has an ASA 5516 Security Plus license.
Serial Number: FCH12345678
Running Permanent Activation Key: 0x12345678 0x9abcdef0 0x12345678 0x9abcdef0
Configuration register is 0x1
Configuration last modified by enable_15 at 10:15:00 UTC Mon Mar 15 2021

The output shows the ASA software version (9.12(4)30), ASDM version, uptime (2 years 143 days), hardware model (ASA5516 with 8192 MB RAM), interface MAC addresses, licensed features (e.g., maximum VLANs, VPN peers), serial number, and configuration register value.

Checking license expiration

show version
Licensed features for this platform:
...
AnyConnect Premium Peers          : 2      evaluation (Expires: 30 days)
...

The output indicates that the AnyConnect Premium Peers license is an evaluation license that expires in 30 days. This is critical for planning license renewal.

Understanding the Output

The 'show version' command output is divided into several sections. The first section shows the ASA software version, ASDM version, compilation date, system image file location, and the configuration file used at boot. The next line displays the system uptime, which is useful for determining if the device has recently rebooted unexpectedly. The hardware section lists the model (e.g., ASA5516), total RAM, CPU type and speed, and flash memory size. Interface information includes the type, MAC address, and interrupt request (IRQ) number for each port. The licensed features section is critical: it lists each feature, its current count, and the license type (perpetual, evaluation, or subscription) with expiration dates if applicable. A healthy system will show perpetual licenses for essential features like maximum interfaces and VLANs, and evaluation licenses should have sufficient time remaining. Problem values include expired licenses (e.g., 'Expired') or features showing 'Disabled' when they are needed. The serial number and activation key are used for license registration and support. The configuration register (usually 0x1) indicates the boot settings. Finally, the last configuration change timestamp helps track when the config was last modified.

Configuration Scenarios

Verifying software version before upgrade

A network engineer needs to upgrade the ASA from version 9.8 to 9.12. They must confirm the current version and ensure the hardware supports the target release.

Topology

Single ASA 5516 firewall connected to internal and external networks.

Steps

  1. 1.Connect to the ASA via SSH or console.
  2. 2.Enter Privileged EXEC mode with 'enable'.
  3. 3.Run 'show version' to capture current software version, hardware model, and RAM.
  4. 4.Compare the output with the upgrade requirements from Cisco documentation.
Configuration
! No configuration changes needed for this verification step.

Verify: The output shows 'Cisco Adaptive Security Appliance Software Version 9.8(4)30' and hardware 'ASA5516, 8192 MB RAM'. This meets the minimum requirements for version 9.12.

Watch out: Ensure the system image file path is correct; if the upgrade fails, the ASA may boot from a backup image.

Troubleshooting with This Command

When troubleshooting issues on a Cisco ASA firewall, the 'show version' command is often the starting point. For example, if users report VPN connectivity problems, checking the licensed features section can reveal whether the AnyConnect Premium Peers license has expired or if the total VPN peer count is insufficient. If the output shows 'AnyConnect Premium Peers: 2 evaluation (Expired)', the VPN service will be disabled, and the license must be renewed. Similarly, if the firewall is experiencing performance issues, the hardware section can confirm the amount of RAM and CPU speed; insufficient memory may cause slowdowns. The uptime field is crucial for diagnosing unexpected reboots. If the uptime is only a few hours, the engineer should investigate the reload reason using 'show crash' or 'show logging'. The software version is also important: if a known bug exists in the current version, upgrading to a fixed release may resolve the issue. For example, version 9.12(4)30 might have a bug affecting IPsec tunnels that is fixed in 9.12(4)34. The command also helps in license compliance audits. If the organization has purchased a 100-user AnyConnect license but the output shows 'AnyConnect Premium Peers: 2', the license may not have been properly installed. In that case, the engineer would need to re-apply the activation key. Additionally, the configuration register value (usually 0x1) indicates that the ASA will boot from the startup configuration. If the register is set to 0x0, the device might boot into ROMMON mode, which would require recovery steps. Finally, the last configuration change timestamp can help correlate with network issues: if a problem started after a specific time, the configuration change at that time might be the cause. In summary, 'show version' provides essential baseline data that guides further troubleshooting steps.

CCNA Exam Tips

1.

For CCNP Security, know that 'show version' is the first command to check after a reload to confirm the ASA is running the expected software version.

2.

Memorize that the license type (perpetual vs evaluation) appears in the output; exam questions may ask about license expiration.

3.

Be able to identify the hardware model and RAM from the output, as this affects feature support (e.g., ASA 5506-X vs 5516).

Common Mistakes

Confusing 'show version' with 'show running-config' – version shows software/hardware info, not configuration.

Overlooking the license expiration field; assuming all licenses are perpetual can lead to service disruption.

Ignoring the uptime field; a low uptime may indicate a crash or power issue that needs investigation.

Platform Notes

On Cisco ASA firewalls, the 'show version' command is similar to the 'show version' command on Cisco IOS routers and switches, but with ASA-specific fields such as license features and ASDM version. Unlike IOS, ASA does not have a 'show version | include uptime' option; the entire output must be parsed. On ASA, the command also displays the 'Device Manager Version' (ASDM), which is not present on IOS devices. The license information section is unique to ASA and is critical for feature activation. On other platforms like Cisco Firepower Threat Defense (FTD), the equivalent command is 'show version' as well, but the output includes FTD-specific software components. In terms of version differences, older ASA versions (pre-9.0) may show different license output formats, but the core information remains the same. For ASA running in multiple context mode, 'show version' displays the version for the current context, but the hardware and license information is system-wide. It is important to note that the 'show version' command does not require any privilege level beyond Privileged EXEC (enable mode). The command is non-disruptive and can be run at any time. For automation, the output can be captured via SNMP or using the 'show version | grep' pattern to extract specific fields. When comparing with Cisco IOS, note that ASA does not support the 'show version | include' syntax; instead, use 'show version | grep' (case-sensitive). Also, the ASA command 'show version' does not have optional parameters like 'brief' or 'detail'; it always shows the full output.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions