ASA image downgrade in active/standby

Unanswered Question
Daniel Voicu Wed, 07/30/2008 - 00:39
User Badges:
  • Silver, 250 points or more


Keep all connections intact and load the new IOS on the secondary ASA. On 8.x you can do that by uploading the new image using ASDM (no outage).

Shut the primary ASA then reload the secondary ASA (2-3 minutes outage) and expect the standby to become the master using the new IOS. Check that all the traffic and services are running with the new IOS.

If something goes wrong, shut the secondary ASA and power up the primary (that still has the original IOS) and separately troubleshoot the secondary.

Disconnect the primary from all network connections (the secondary is up and elected as master) and downgrade its IOS (no outage).

Plug the primary back in the network and issue the command: failover active to make it again the active device (small outage of about 5-10 seconds).

So overall you will have 2-3 minutes of outage followed by another 5-10 seconds while swapping the master.

Please rate if this helped.



franklinb Wed, 11/09/2011 - 14:57
User Badges:

Isn't there a zero-downtime way of downgrading? The documentation details how to do a zero-downtime *upgrade* so is there any reason why these steps woudn't work for downgrade as well? (downgrade standby unit and reload it, make it the active, downgrade primary unit and reload it, make it active) ??

Patrick Moubarak Wed, 11/16/2011 - 12:18
User Badges:
  • Bronze, 100 points or more

I would approach the problem as a zero downtime upgrade and follow the steps you noted.

Be careful with NATs and ACL config if you are going back from 8.3 to 8.2.

Also zero downtime upgrade works with 1 version at a time (8.2 to 8.3; 8.3 to 8.4; Cisco does not recommend 8.0 to 8.4 in a direct upgrade) si careful there too...

Which version are you using and which version you want to go to? and why downgrade in the first place?



This Discussion