I understand your plan for upgrading appliances and remote agent server. This is actually the right practice.
We should always have the ip address of primary ACS SE as a configuration providerso If you are upgrading backup one first then let the primary server catering the authentication request and upgrade the remote agent server while upgrading the primary ACS SE.
From installation guide:
Although a remote agent can accept inbound communication from many appliances, it accepts configuration instructions from only a single appliance that you specify in the CSAgent.ini file. This special appliance is called a configuration provider.
When a remote agent starts, it reads its CSAgent.ini file to determine which services should be available and which appliance is its configuration provider. Then it contacts the configuration provider and requests its configuration.
After receiving its configuration from the configuration provider, the remote agent is available to provide the services configured in CSAgent.ini.
Well, yes you can upgrade the primary server but why I suggested you to upgrade the secondary first; all your NAS devices should have the primary server listed first so if there is no communication with primary server there might be some delay while user try to authenticate.
IMP : Whenever we change/delete the primary/secondary remote agent under external user database...group mapping will disappear.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :