Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20062
Views
20
Helpful
3
Replies

ASA HA upgrade procedure

billmatthews
Level 1
Level 1

‎01-07-2012 05:51 PM - edited ‎03-11-2019 03:11 PM

Hello,

I'll be upgrading an HA pair of ASA 5520s next week, and wanted to clarify the procedure.  I read "Upgrading an Active/Standby Failover Configuration" at http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1057338 which suggests placing the image on both units, updating boot statements, then issuing failover reload-standby.

But I was wondering if there's a way to a way to be a bit safer.  I'd like to modify the standby unit, without affecting the config on the active.  So I'd like to modify the boot statement on the standby without modifying the active config.  That way incase there's a problem and the active reboots, it won't upgrade. 

Can I modify the config on the standby without affecting the active?

Then I'd like to test the newly upgraded unit with our production traffic.  Would that simply be no failover active, and then once the standby becomes active -- test traffic? 

Once everything is okay, I would upgrade the second unit, and fail traffic back.

Thanks

Bill

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎01-07-2012 10:30 PM

Hi Bill,

What you can do is, change the boot parameter on the secondary first, reload the device, upgrade the secondary and then on the primary issue no failover active command, test it on the secondary first, if everything is fine then set boot parameter on the primary and upgrade it the same way.

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao

billmatthews
Level 1
Level 1
In response to varrao

‎01-10-2012 07:36 AM

Thanks Varun, that worked -- with one small hiccup.

The secondary was running the new version, with the modified boot statement.  But while we were working, the primary sync it's config to the secondary, overwriting the boot statement.  I thought if the versions were different it wouldn't overwrite the config? 

We manually put it back.  But is there a way to temporarily stop config sync?

Thanks

0 Helpful

varrao
Level 10
Level 10
In response to billmatthews

‎01-10-2012 07:43 AM

Hi Bill,

That is the reason why we need to put the boot parameter on the devices together before upgrading, but if you dont want to then you would need to disable failover between them be either unplugging the cables or by issuing the command "no failover active", but then this type of method might include downtime as well.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card