Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

ASA 5520 Upgrade 8.0(4)-->8.4.2--Zero Downtime

Hello Everyone,

We are currently on 8.0(4) and planning on upgrading our failover pair to 8.4.2, I read some documents saying that we can perform a zero downtime upgrade.

According the below documents Version 8.2 supports mismatch memory failover,

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536

https://supportforums.cisco.com/message/3549760#3549760//

Upgrade Path:

Active Firewall:                         Standby Firewall:

   8.0(4)                                       8.0(4)-->8.2.2

   8.0(4)                                       Upgrade RAM-2G---Reload

   faiover to standby                    8.2.2

   8.0(4)--->8.2.2                          8.2.2

   Upgrade RAM-2G-reload         8.2.2----Fail over

   8.2.2--Active                             8.2.2--Standby

  8.2.2                                          8.3.1

  8.2.2                                          8.4.2

  Failover to stanby                      8.4.2

  8.2.2--Standby                           8.4.2-----Active

Can I perform zero downtime upgrade with the above upgrade path? Will both the firewalls act as a failover pair if one is on 8.2.2 and other is on 8.4.2.

"Performing Zero Downtime Upgrades for Failover Pairs

The two units in a failover configuration should have the same major  (first number) and minor (second number) software version. However, you  do not need to maintain version parity on the units during the upgrade  process; you can have different versions on the software running on each  unit and still maintain failover support."  (http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/admin_swconfig.html)

Upgrade RAM-2G
Siddhartha
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: ASA 5520 Upgrade 8.0(4)-->8.4.2--Zero Downtime

You can do it in a lot fewer steps.

1. Upgrade RAM on standby, reload and make it active.

2. Repeat process for newly standby unit.

Now you have 2 units still on 8.0(4) with requisite RAM for 8.3+. TAC will recommend you go up in "baby steps" but the software will work upgrading directly from 8.0 to 8.4. 8.4(3) is the current version for the 5520 platform. At most conservative, I might upgrade to 8.2(4) as an interim but it's not strictly necessary. So my next step would be:

3. Upgrade standby unit from 8.0(4) to 8.4(3). At this point take stock of the script syntax changes. Examine the upgrade log (on disk0:) and address any discrepancies.

Note active/standby failover will work here but should not be run this way for any extended time as syntax changes would affect the ability to synchronize if changes are introduced on the active member.

Finally:

4. Flip upgraded standby unit to active and upgrade remaining standby unit to 8.4(3).

If you follow these steps and check your work after each step, this would all be zero downtime.

5 REPLIES
Hall of Fame Super Silver

Re: ASA 5520 Upgrade 8.0(4)-->8.4.2--Zero Downtime

You can do it in a lot fewer steps.

1. Upgrade RAM on standby, reload and make it active.

2. Repeat process for newly standby unit.

Now you have 2 units still on 8.0(4) with requisite RAM for 8.3+. TAC will recommend you go up in "baby steps" but the software will work upgrading directly from 8.0 to 8.4. 8.4(3) is the current version for the 5520 platform. At most conservative, I might upgrade to 8.2(4) as an interim but it's not strictly necessary. So my next step would be:

3. Upgrade standby unit from 8.0(4) to 8.4(3). At this point take stock of the script syntax changes. Examine the upgrade log (on disk0:) and address any discrepancies.

Note active/standby failover will work here but should not be run this way for any extended time as syntax changes would affect the ability to synchronize if changes are introduced on the active member.

Finally:

4. Flip upgraded standby unit to active and upgrade remaining standby unit to 8.4(3).

If you follow these steps and check your work after each step, this would all be zero downtime.

Silver

Re: ASA 5520 Upgrade 8.0(4)-->8.4.2--Zero Downtime

Thanks for your reply Marvin, I read in the release notes that 8.0(4) doesn't support mismatched memory failover thatswhy we are planning on going to 8.2.2 before the RAM upgrade.

Siddhartha
New Member

Hi Siddhartham, Can please

Hi Siddhartham,

 

Can please advise on the below?

8.2.2--Standby                           8.4.2-----Active

 Will both the firewalls act as a failover pair if one is on 8.2.2 and other is on 8.4.2.

Thanks

New Member

ASA 5520 Upgrade 8.0(4)-->8.4.2--Zero Downtime

When you say zero-downtime upgrade, are you considering the configuration ( NAT and access-list) syntax changes in post 8.3 versions or are you just considering the software upgrade.

Thanks

Silver

Re:ASA 5520 Upgrade 8.0(4)-->8.4.2--Zero Downtime

Hi Anand, we were done with the upgrade and was able to do the zero time upgrade.

In my above post,I was asking just about the software because we already tested the NAT and access list conversions in the lab


Sent from Cisco Technical Support Android App

Siddhartha
5499
Views
5
Helpful
5
Replies
CreatePlease to create content