×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA migration from 8.2 to 8.4 (active/standby) without outage

Unanswered Question
Mar 22nd, 2012
User Badges:

Hi there .... I need to upgrade a pair (active/standby) of ASA from 8.2.5 to 8.4.3 ... I have a script created to modify all NAT rules I need, and I have tested it in lab, and I think I'm good with it.

Now, I want to figure out if there's a way to do this without an outage. Previously, when configuration were compatible between version, there was no problem. You could usually force secondary unit to be active, upgrade primary (rebooting), making primary the active again, and do the upgrade on secondary ... no outage at all


Now, as new software doesn't support old configuration, if I follow that process, as soon as I bring primary up with new software, it will try to get the configuration from the active one, which won't work ... Is there another option than having a short outage (turn off secondary acting as active, while primary is coming back with new software and configuration already changed?)


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Wed, 03/28/2012 - 14:07
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I've wondered the same thing. I haven't had time to lab the process yet though.


We have some bigger customers that will eventually be facing this upgrade on their failover pairs. Luckily we've been doing alot of replacing firewall hardware so we have been able to just transfer customers behind ready 8.4 software failover pairs from old hardware.


So have you actually tested upgrading one ASA to 8.4 while having the other one connected on 8.2 software? Has the failover gone/stayed down after the reload? Has the 8.4 software ASA received all the xlate/connection information from the 8.2 ASA after the reload?


Personally I'm thinking that I will probably just remove the standby pair from the network, wipe the configuration, upgrade the software, drop the configurations and replace the 8.2 ASA with the updated one by just physically changing the cables. After that just update the old ASA and configure it with failover configurations and let it load the configurations from the new Primary unit.


Though I think I will still lab the update process myself. I will reply here with my results if I do go through with it.

Marvin Rhoads Thu, 03/29/2012 - 20:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Just follow the upgrade guide in the release notes. It is a zero downtime process. I've done it several times. The standby unit (upgraded first) will parse and convert the primary unit's configuration syntax as necessary when it syncs.

Jouni Forss Thu, 03/29/2012 - 22:18
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The fact that ASA does the change of configuration format from 8.2 -> 8.4 is enough reason for me to just manually rewrite the whole configuration.


Mostly the reasons are cosmetic for me. I want to name all the "objects" myself. Though theres ofcourse the option of renaming the object after the update also.


I'm not sure though if the ASA creates any object-groups during the change since those you can rename on the fly.

Actions

This Discussion