Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1577
Views
0
Helpful
3
Replies

ASA migration from 8.2 to 8.4 (active/standby) without outage

Jim Main
Level 1
Level 1

‎03-22-2012 11:19 AM - last edited on ‎02-21-2020 11:22 PM by Community Manager

Hi there .... I need to upgrade a pair (active/standby) of ASA from 8.2.5 to 8.4.3 ... I have a script created to modify all NAT rules I need, and I have tested it in lab, and I think I'm good with it.

Now, I want to figure out if there's a way to do this without an outage. Previously, when configuration were compatible between version, there was no problem. You could usually force secondary unit to be active, upgrade primary (rebooting), making primary the active again, and do the upgrade on secondary ... no outage at all

Now, as new software doesn't support old configuration, if I follow that process, as soon as I bring primary up with new software, it will try to get the configuration from the active one, which won't work ... Is there another option than having a short outage (turn off secondary acting as active, while primary is coming back with new software and configuration already changed?)

Thanks

0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎03-28-2012 02:07 PM

Hi,

I've wondered the same thing. I haven't had time to lab the process yet though.

We have some bigger customers that will eventually be facing this upgrade on their failover pairs. Luckily we've been doing alot of replacing firewall hardware so we have been able to just transfer customers behind ready 8.4 software failover pairs from old hardware.

So have you actually tested upgrading one ASA to 8.4 while having the other one connected on 8.2 software? Has the failover gone/stayed down after the reload? Has the 8.4 software ASA received all the xlate/connection information from the 8.2 ASA after the reload?

Personally I'm thinking that I will probably just remove the standby pair from the network, wipe the configuration, upgrade the software, drop the configurations and replace the 8.2 ASA with the updated one by just physically changing the cables. After that just update the old ASA and configure it with failover configurations and let it load the configurations from the new Primary unit.

Though I think I will still lab the update process myself. I will reply here with my results if I do go through with it.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jouni Forss

‎03-29-2012 08:30 PM

Just follow the upgrade guide in the release notes. It is a zero downtime process. I've done it several times. The standby unit (upgraded first) will parse and convert the primary unit's configuration syntax as necessary when it syncs.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎03-29-2012 10:18 PM

Hi,

The fact that ASA does the change of configuration format from 8.2 -> 8.4 is enough reason for me to just manually rewrite the whole configuration.

Mostly the reasons are cosmetic for me. I want to name all the "objects" myself. Though theres ofcourse the option of renaming the object after the update also.

I'm not sure though if the ASA creates any object-groups during the change since those you can rename on the fly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card