ASA Upgrade path

Gary Gordon · ‎04-26-2012

I'm in the process of upgrading our ASA 5520's from 8.2 to 8.4. I have sufficient memory installed and have read many posts in this forum on different upgrade strategies. I have an active/standy configuration and have settled on upgrading the standy unit from 8.2 to 8.3 then to 8.4, fixing any errors, testing traffic and then upgrading the primary unit to the latest rev. I've read where active/standy mismatching is supported but for a short period. My question is how long will I be able to run two boxes with different software? Unfortunately I don't have the option of doing this off line in a lab.

Thanks.

Marvin Rhoads · ‎04-26-2012

While some folks advocate the 8.3 step, you can go straight to 8.4 from 8.2.

Staying in a version mismatch state is not recommended since any commands in the primary will be replicated to the secondary but, if not in 8.3/8.4 syntax (for the items whose syntax changes in the upgrade) you will be left with configuration bits that aren't compatible on your standby unit in the event of a failover. (During the Secondary - Standby unit reload, the 8.2 configuration is parsed and running-configuration syntax changed as necessary) As long as you understand and accept that, you can run for an extended period with the mismatch - you just expose yourself to risk in the event that you have made configuration changes and an unplanned failover occurs. That's why only a 'short period' is the recommended period for such a state.

In all the upgrades I've done, I always upgrade the Primary unit (after validating the Secondary - Standby unit's upgrade went OK and making it Secondary - Active) during the same maintenance window. When it goes well it's a 10-15 minute process for the both of them.

The TAC engineers are well-versed in this process and are very able to support you during the process if you open a case proactively.