how to upgrade the asa5520?

Answered Question
Mar 13th, 2007
User Badges:

I have two asa5520s and they are configured as active/active failover and multi-contents.


Now, I need upgrade their images. But, I find:

1. On the asa5520 which content admin is active, I can go to system by (changeto system) and I can upgrade the asa image and adsm image.


2. On the asa5520 which content admin is standby, I can not go to the system side,

my-asa5520-2/content2#changeto system

Command not valid in current execution space.


Could anyone advice me:

how can I upgrade the image for second box?

is my configuration of failover/multi-contents wrong? If so, how to configure the failover/multicontents to allow me able to go to system space on second box?


Any comments will be appreciated


Thanks in advance




Correct Answer by vitripat about 10 years 4 months ago

Yw ..


There is no shutdown command available on ASA. We would need to walkup to the device and manually power it off.


On step7, "can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?"


This will not work, because when ASA1 comes up, there would be a conflict as both are running on different version. It may cause other issues in the network thus I would not recommend doing so.


Hope that helps.


Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
vitripat Wed, 03/14/2007 - 10:40
User Badges:
  • Gold, 750 points or more

It could be a little confusing, but I'll try to make it simple.


Upgrading firewalls in Active/Active mode:


I would notife the two ASAs as following-


ASA1 (Admin context Active/Ctx1 context Standby)

ASA2 (Admin context Standby/Ctx1 context Active)


Assuming that both ASAs are running on 7.1.2 code.


So .. before starting the upgrade procedure, following is the status of the two ASAs:


ASA1 (Admin context Active/Ctx1 context Standby)

ASA2 (Admin context Standby/Ctx1 context Active)


Step 1) Login to the Admin context on ASA1 and copy the new image to flash.


Step 2) Move to the system execution space of ASA1 from Admin context and set the

image to use the newly copied image. DO NOT RELOAD THE ASA YET. Current state:


ASA1 (Admin context Active/Ctx1 context Standby) --> pointing to new image.

ASA2 (Admin context Standby/Ctx1 context Active)


Step 3) Move back to Admin context on ASA1 and fail this context to ASA2 using

"no failover active" command. Now the current state of ASAs is:


ASA1 (Admin context Standby/Ctx1 context Standby) --> pointing to new image.

ASA2 (Admin context Active/Ctx1 context Active)


Step 4) Shut down ASA1, do not reload, shutdown. Current state:


ASA1 (SHUTDOWN) --> pointing to new image.

ASA2 (Admin context Active/Ctx1 context Active)


Step 5) Login to the Admin context on ASA2 and copy the new image to flash.


Step 6) Move to the system execution space of ASA2 from Admin context and set the

image to use the newly copied image. DO NOT RELOAD THE ASA YET. Current state:


ASA1 (SHUTDOWN) --> pointing to new image.

ASA2 (Admin context Active/Ctx1 context Active) --> pointing to new image.


Step 7) Shutdown the ASA2 and power on ASA1. Current state:


ASA1 (BOOTING) --> pointing to new image.

ASA2 (SHUTDOWN) --> pointing to new image.


Step 8) Once the ASA1 has booted up, it will start using the new image. Current state:


ASA1 (Admin context Active/Ctx1 context Active) --> up with new image.

ASA2 (SHUTDOWN) --> pointing to new image.


Step 9) Now boot ASA2, once up, current state should be:


ASA1 (Admin context Active/Ctx1 context Active) --> up with new image.

ASA2 (Admin context Standby/Ctx1 context Standby) --> up with new image.


Both the ASAs have been upgraded successfully. Now if the Failover groups are configured with

"preempt" command, the failover group 2, will automatically become active on ASA2, if failover

group 2 is not configured with "preempt", we will need to manually failover ctx1 context from

ASA1 to ASA2.


Hope that helps.



Regards,

Vibhor.

julxu Thu, 03/15/2007 - 15:20
User Badges:

Vibhor,


Great thanks for the procedure.


When you mean shutdown, it means going to the machine and manually power it off? Is there a shutdown cammnad I can use?


On the step 7, can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?

So, I can support the link connection for backend servers.


Please advice.




Correct Answer
vitripat Thu, 03/15/2007 - 16:00
User Badges:
  • Gold, 750 points or more

Yw ..


There is no shutdown command available on ASA. We would need to walkup to the device and manually power it off.


On step7, "can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?"


This will not work, because when ASA1 comes up, there would be a conflict as both are running on different version. It may cause other issues in the network thus I would not recommend doing so.


Hope that helps.


Regards,

Vibhor.

Actions

This Discussion