ASA HA upgrade procedure

Unanswered Question
Jan 7th, 2012

Hello,

I'll be upgrading an HA pair of ASA 5520s next week, and wanted to clarify the procedure.  I read "Upgrading an Active/Standby Failover Configuration" at http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1057338 which suggests placing the image on both units, updating boot statements, then issuing failover reload-standby.

But I was wondering if there's a way to a way to be a bit safer.  I'd like to modify the standby unit, without affecting the config on the active.  So I'd like to modify the boot statement on the standby without modifying the active config.  That way incase there's a problem and the active reboots, it won't upgrade. 

Can I modify the config on the standby without affecting the active?

Then I'd like to test the newly upgraded unit with our production traffic.  Would that simply be no failover active, and then once the standby becomes active -- test traffic? 

Once everything is okay, I would upgrade the second unit, and fail traffic back.

Thanks

Bill

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
varrao Sat, 01/07/2012 - 22:30

Hi Bill,

What you can do is, change the boot parameter on the secondary first, reload the device, upgrade the secondary and then on the primary issue no failover active command, test it on the secondary first, if everything is fine then set boot parameter on the primary and upgrade it the same way.

Hope that helps,

Thanks,

Varun

billmatthews Tue, 01/10/2012 - 07:36

Thanks Varun, that worked -- with one small hiccup.

The secondary was running the new version, with the modified boot statement.  But while we were working, the primary sync it's config to the secondary, overwriting the boot statement.  I thought if the versions were different it wouldn't overwrite the config? 

We manually put it back.  But is there a way to temporarily stop config sync?

Thanks

varrao Tue, 01/10/2012 - 07:43

Hi Bill,

That is the reason why we need to put the boot parameter on the devices together before upgrading, but if you dont want to then you would need to disable failover between them be either unplugging the cables or by issuing the command "no failover active", but then this type of method might include downtime as well.

Thanks,

Varun

Actions

Login or Register to take actions

This Discussion

Posted January 7, 2012 at 5:51 PM
Stats:
Replies:3 Avg. Rating:5
Views:2695 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446