Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

8.2.5-33 upgrade to 8.4.7

I have run into more problems attempting this upgrade that expected.  I originally tried going from 8.2.5 to 8.3 and Cisco told me to go directly to 8.4.7

ISSUE # 1: Their instructions on doing a zero downtime upgrade on an active standby unit states to upload the image file and code to both units, then reload the standby first to boot with the new 8.4.7 code.  That works, however, as soon as it is up (and before I am able to log in to enter any commands), replication from the active mate occurs and pushes down code from the active unit running 8.2.5 to the current standby running 8.4.7.  How is the preventable without removing the failover cable?


ISSUE # 2  

When trying to go through the downgrade steps in the published Cisco ASA 5500 Migration to Version 8.3 and later guide, I have tried both ASDM and command line down grades with no luck.  I select 8.2.5(33) as the image file and the 8_2_5_33_startup_cfg  file as the configuration file and when it boots, it does use image file, but it contains 8.4.7 commands which are not compatible.  This results in the Cisco taking over 3hrs to run through the configuration errors.  In test, this is easily resolved by setting the device back to factory defaults, resetting the boot image, and loading a good configuration file, but it takes hours to do.  I can't do this in production if we need to down grade.  


ISSUE # 3.  Despite all the guides saying that during an upgrade to 8.3 you should get a Nat Ident Migrate file, I have not seen that happen going to 8.3 or 8.4.


Does anyone have any input or advice for any of these Issues?  Probably user error. :-)

  • Firewalling
Everyone's tags (1)
Cisco Employee

Hi,As per the ISSUE#1:- This


As per the ISSUE#1:- This cannot be prevented on the HA Pair.

ISSUE#2:- I think this might be due to the ACL and NAT statement being converted to the new configuration.

ISSUE3#:- You can check the migration errors file created automatically on thre ASA device after upgrade to find the errors with migration.

Please refer:-

Thanks and Regards,

Vibhor Amrodia