cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5511
Views
3
Helpful
6
Replies

Minimizing Downtime ASA Pair Upgrade

mmedwid
Level 3
Level 3

Hi have a redundant pair of ASA 5510s and I have uploaded the 8.3 code to flash of each ASA.

Is there a recommended order for setting boot order priority for the new 8.3 code and rebooting

the ASA?  The is - would is be better to upgrade and reboot the standby ASA first or the

active ASA first?  I don't have a lab to test this so need to make sure I don't get anything

wrong in the procedure.  I went through the document below on upgrading but it does not

advise on dealing with the redundant pair.  Thank-you.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml#asdm6.x1

2 Accepted Solutions

Accepted Solutions

Panos Kampanakis
Cisco Employee
Cisco Employee

You can do a hitless upgrade from 8.2 to 8.3.

Change the boot statement on the standby and reload it. It should come up in 8.3 as standby and synchronize with mate.

Change the boot system command on the active and make it standby and reboot it. The peer running 8.3 should be active while it is rebooting.

After it is up both are running 8.3 and they should establish failover.

I hope it helps.

PK

View solution in original post

Tim Glen
Cisco Employee
Cisco Employee

PK is right on.

Here is the document with the details for an ASA Zero Downtime Upgrade.  Watch out for your versions you need to "step up" and not jump.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398

Good Luck

View solution in original post

6 Replies 6

Panos Kampanakis
Cisco Employee
Cisco Employee

You can do a hitless upgrade from 8.2 to 8.3.

Change the boot statement on the standby and reload it. It should come up in 8.3 as standby and synchronize with mate.

Change the boot system command on the active and make it standby and reboot it. The peer running 8.3 should be active while it is rebooting.

After it is up both are running 8.3 and they should establish failover.

I hope it helps.

PK

Tim Glen
Cisco Employee
Cisco Employee

PK is right on.

Here is the document with the details for an ASA Zero Downtime Upgrade.  Watch out for your versions you need to "step up" and not jump.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398

Good Luck

Hello mmedwid

Could you please confirm that this procedure works for you? I had problem following this procedure in the past upgrading from 8.0 to 8.2? when the standby comes up with the new version the failover will be broken as there will be different version on ASA’s.

Thanks in advance for your answer

Hello Belal,

To avoid disruption, you need to upgrade the standby device first and then failover to this device and upgrade other. This way you will not face any issues.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

Hello,

Thanks for your answer, but I did the upgrade first on the standby unit, and when the standby comes up with the new version the failover was not working any more as the primary was in the old version (there was a error message seeing that there is a mismatch version between ASA's).

So what i did is:

1. disconnect the standby (with the new version) from the network

2.  reboot the active ( in this case there was a down time)

3. put the secondary ASA on standby mode (when the failover was broken this unit passed to active mode, so i had two active on my network)

4. enable failover again

Thanks

Hello Belal,

The behavior expected as no downtime at all. Here is a document which states the same : http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1057338

If you have a TAC contract, please discuss the seek assistance in the upgrade. You should ideally not face any downtime at all. As far as a message is concerned it is a warning which states that mate is running on a different code. At this point if you chech for "show failover", it will show failover setup working but prompt both running on different codes.

Regards,

Chirag

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: