Few questions about ASA upgrade from 8.2(2) to 8.2 (5)

Answered Question
Sep 2nd, 2011

Hi Friends,

I have never touched a firewall box before but i need to upgrade the IOS on 2 ASAs that are running in production. I am upgrading from 8.2(2) to 8.2 (5).  Just to point out, one of the firewalls is having SSM module with it. Below in the end is the "sh inventory" output.

I have downloaded the asa825-k8.bin and asdm-645-106.bin files already on my computer.

Two queries to clear off:

1. Wanted to know if I need to download any more files. Like some feature licenses or anything else? I did "dir flash: to see what contents it had already and this was it:

28    -rwx  16275456    02:18:46 Nov 07 2010  asa821-k8.bin

129    -rwx  11348300    04:34:32 Nov 07 2010  asdm-621.bin

3      drwx  4096        08:03:46 Jan 01 2003  log

10     drwx  4096        08:04:00 Jan 01 2003  crypto_archive

11     drwx  4096        08:04:32 Jan 01 2003  coredumpinfo

131    -rwx  12105313    04:19:40 Nov 07 2010  csd_3.5.841-k9.pkg

132    drwx  4096        04:19:42 Nov 07 2010  sdesktop

133    -rwx  2857568     04:19:44 Nov 07 2010  anyconnect-wince-ARMv4I-

134    -rwx  3203909     04:19:46 Nov 07 2010  anyconnect-win-2.4.1012-

135    -rwx  4832344     04:19:48 Nov 07 2010  anyconnect-macosx-i386-2

136    -rwx  5209423     04:19:50 Nov 07 2010  anyconnect-linux-2.4.101

137    -rwx  16459776    10:52:44 Apr 28 2011  asa822-k8.bin

138    -rwx  14240396    10:53:12 Apr 28 2011  asdm-631.bin

139    -rwx  11862220    11:10:12 Apr 28 2011  asdm-625.bin

143    -rwx  48299       15:03:20 Sep 02 2011  10.80.24.74

2. How to I take a complete backup like it works in ASDM v6.2 "Tools->Backup configurations". I was reading thru the RN for doing that and what I could understand, it was talking about some "export" thing but it did not make much sense to me.

Below is the sh version and sh inventory from both the ASAs, would be highly appreciable if someone can help me filling in the gaps for my understanding and also so that i can do this job smoothly.

FW01# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

RHHQAPFW01 up 102 days 1 hour

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0  : address is c471.fe8a.45f6, irq 9

1: Ext: GigabitEthernet0/1  : address is c471.fe8a.45f7, irq 9

2: Ext: GigabitEthernet0/2  : address is c471.fe8a.45f8, irq 9

3: Ext: GigabitEthernet0/3  : address is c471.fe8a.45f9, irq 9

4: Ext: Management0/0       : address is c471.fe8a.45f5, irq 11

5: Int: Not used            : irq 11

6: Int: Not used            : irq 5

Licensed features for this platform:

Maximum Physical Interfaces  : Unlimited

Maximum VLANs                : 150

Inside Hosts                 : Unlimited

Failover                     : Active/Active

VPN-DES                      : Enabled

VPN-3DES-AES                 : Enabled

Security Contexts            : 2

GTP/GPRS                     : Disabled

SSL VPN Peers                : 2

Total VPN Peers              : 750

Shared License               : Disabled

AnyConnect for Mobile        : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials        : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions      : 2

Total UC Proxy Sessions      : 2

Botnet Traffic Filter        : Disabled

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1504L1DG

Running Activation Key: <Deleted for security reason>

Configuration register is 0x1

Configuration last modified by admin at 09:19:08.880 WST Fri Sep 2 2011

RHHQAPFW01#

RHHQAPFW01# sh inventory

Name: "Chassis", DESCR: "ASA 5520 Adaptive Security Appliance"

PID: ASA5520           , VID: V06     , SN: JMX1504L1DG

Name: "power supply", DESCR: "ASA/IPS 180W AC Power Supply"

PID: ASA-180W-PWR-AC   , VID: V03 , SN: DTN143882JS

Firewall 2:

RHHQAPFW03# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)

Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders

System image file is "disk0:/asa822-k8.bin"

Config file at boot was "startup-config"

RHHQAPFW03 up 102 days 1 hour

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0  : address is c84c.75df.5966, irq 9

1: Ext: GigabitEthernet0/1  : address is c84c.75df.5967, irq 9

2: Ext: GigabitEthernet0/2  : address is c84c.75df.5968, irq 9

3: Ext: GigabitEthernet0/3  : address is c84c.75df.5969, irq 9

4: Ext: Management0/0       : address is c84c.75df.5965, irq 11

5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 150

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts              : 2

GTP/GPRS                       : Disabled

SSL VPN Peers                  : 2

Total VPN Peers                : 750

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1445L2F1

Running Activation Key: <Deleted for security concern>

Configuration register is 0x1

Configuration last modified by didata at 10:08:08.217 WST Thu Aug 25 2011

RHHQAPFW03# sh inventory

Name: "Chassis", DESCR: "ASA 5520 Adaptive Security Appliance"

PID: ASA5520           , VID: V06     , SN: JMX1445L2F1

Name: "slot 1", DESCR: "ASA 5500 Series Security Services Module-20"

PID: ASA-SSM-20        , VID: V02     , SN: JAF1443CBDA

Name: "power supply", DESCR: "ASA/IPS 180W AC Power Supply"

PID: ASA-180W-PWR-AC   , VID: V03 , SN: DTN143384VA

I have this problem too.
0 votes
Correct Answer by Poonguzhali Sankar about 2 years 7 months ago

Worst case...unit reloading and going into rommon >

Your ID shows up as Cisco partner so, please open a proactive TAC case so, you will have assitance if needed.

Good luck and hope the upgrade goes smoothly.

-KS

Correct Answer by anchacko about 2 years 7 months ago

Hi Mohit,

With the upgrade, you will not lose your running config. However, it is  always best to have a backup copy of the "sh run" output. If you need to restore your configuration, you need only the "sh run" from the ASA. You can copy paste the configuration from the text file to the CLI.

Hope this helps! Let me know if you have more queries.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved.Do rate helpful posts.

Correct Answer by anchacko about 2 years 7 months ago

Hi Mohit,

1. To upgrade an interim version, you don't need to download any extra files. Just copy the image file to the flash and boot it. 

2. To backup your configuration, you copy the running config to a tftp server by using the command "copy run tftp" on the ASA.

Use TFTPd32 as the tftp server. You can download it at:

http://tftpd32.jounin.net/tftpd32_download.html

Let me know if you have more queries.

Regards,

Anu

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
anchacko Fri, 09/02/2011 - 03:33

Hi Mohit,

1. To upgrade an interim version, you don't need to download any extra files. Just copy the image file to the flash and boot it. 

2. To backup your configuration, you copy the running config to a tftp server by using the command "copy run tftp" on the ASA.

Use TFTPd32 as the tftp server. You can download it at:

http://tftpd32.jounin.net/tftpd32_download.html

Let me know if you have more queries.

Regards,

Anu

chauhan_mohit Fri, 09/02/2011 - 03:45

Hi Anu

First of all thanks for the quick reply

Also wanted to know about the complete backup. As I mentioned in my original query. What would happen if I need to roll back, my planning was to take a complete backup and do a restore in case I need to.

Regards,

Mohit

Sent from iPhone

Correct Answer
anchacko Fri, 09/02/2011 - 04:42

Hi Mohit,

With the upgrade, you will not lose your running config. However, it is  always best to have a backup copy of the "sh run" output. If you need to restore your configuration, you need only the "sh run" from the ASA. You can copy paste the configuration from the text file to the CLI.

Hope this helps! Let me know if you have more queries.

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved.Do rate helpful posts.

chauhan_mohit Fri, 09/02/2011 - 04:52

Hi Anu

Thanks again, but wouldn’t I need to worry abt the feature license or anything related. And how about the SSM upgrade?

Regards

Mohit Chauhan

Communications Engineer

While L7 employs various programs to alert us to the presence of computer viruses, we cannot guarantee that this email and any files transmitted with it are free from malicious content. Any person who opens any attached file or link does so at their own risk. This communication is intended only for the person to whom it is addressed and may contain confidential and/or legally privileged material. Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of L7 Solutions. Any review, retransmission, dissemination, reliance on or other use of, this communication by persons other than the intended recipient is prohibited. If you received this communication in error, please inform L7 Solutions immediately by return email and delete all copies. Please direct any queries on our policy to privacy@L7.com.au

Attachment: 
Poonguzhali Sankar Fri, 09/02/2011 - 06:07

Mohit,

If you have never done an upgrade before, pls. try this out in the lab before upgrading the production boxes.  It is very simple yet, I suggest trying this out in the lab.

That said, SSM module upgrade is exlusive of the ASA upgrade.  You can leave it alone or choose to upgrade it. I am not sure if this is CSC-SSM or IPS-SSM. Only thing to keep in mind is that when you upgrade the SSM module and reload it, it will trigger a failover if the module in the active units gets reloaded. You mentioned 2 ASAs so, I am assuming it is a failover pair.

You can follow this link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1057338

-KS

chauhan_mohit Fri, 09/02/2011 - 06:20

Hi KS

Sorry if I had not mentioned that before, they are not a failover pair. Otherwise I would have imagined having SSM module on both the firewalls.

It's actually an internal firewall (SSM) and an external firewall(without SSM).

I understand should be good to have lab experience at least once, but that's not possible with the circumstances in place. What would be worse case scenario we can imagine here? And what's the best approach to mitigate that risk?

Regards,

Mohit

Correct Answer
Poonguzhali Sankar Fri, 09/02/2011 - 07:13

Worst case...unit reloading and going into rommon >

Your ID shows up as Cisco partner so, please open a proactive TAC case so, you will have assitance if needed.

Good luck and hope the upgrade goes smoothly.

-KS

chauhan_mohit Thu, 09/22/2011 - 18:29

Sorry for coming back late- the firewall upgrade went all smooth. there were 2 ASAs and one of them had SSM Module but it wasnt being used. So I left it aside.

Thanks for your help KS.

Actions

Login or Register to take actions

This Discussion

Posted September 2, 2011 at 2:13 AM
Stats:
Replies:8 Avg. Rating:5
Views:2194 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446