Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
4
Replies

ASA5550 zero downtime upgrade

Go to solution
Tim Hamblin
Level 1
Level 1

‎12-01-2011 02:16 AM - edited ‎03-11-2019 02:57 PM

Hi all,

I am currently writing up the procedure for doing this upgrade on our current firewalls (active/standby failover pair) and wanted to confirm a few things.

1     We are upgrading from 8.2(2) to 8.4(2) so need to run "no names" and "no nat-control" before upgrade to avoid any issues.  Will I need to do this on both active and standby? (I am presuming I will!!)

2     I will also be doing the same upgrade on another of our networks once this one is complete. Again we have a failover pair but they are running multiple contexts.  Are there any other issues I need to be aware of with this configuration?  Where should I run the above commands on a multi-context firewall etc?

The procedure I am intending to use is as follows:

     Backup configs

     Copy Files to both firewalls

     Set boot on both to new image

     Save changes!

     Reload Standby

     Once Standby is up do "no failover active" on Active

     Reload "Old" Active

     Once "Old" Active is up do "no failover active" on "Old" Standby

     Verify all is running as expected

     Save configs

     Redo "names" command

I have tested this on a single firewall but I have no failover pair to test on and would rather not have any surprises!!

I will, in all probability, be carrying out this change at 1am to avoid production hours, is there any advantage in doing it as a downtime upgrade (i.e. will it be simpler and less troublesome???).

Think thats everything!!!

Thanks in advance for any help!!

Tim

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎12-01-2011 02:27 AM

Hi Tim,

Your procedure is absolutely correct and definitely the right thing to do it off-production hours, to be able to handle any unexpected issues. In multiple context you would need to run these commands in every context. The steps are right as it shoudl be, and I don't see anything wrong in it at all.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Tim Hamblin

‎12-01-2011 02:39 AM

Hey Tim,

I would also not be able to do anything without you (literally) , it's always good to help you as well. The no names and no nat-control just needs to be pushed on the active firewall and it would be replicated to the standby as well. In multiple context you need to do it in every context that you have created.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
4 Replies 4

Go to solution
varrao
Level 10
Level 10

‎12-01-2011 02:27 AM

Hi Tim,

Your procedure is absolutely correct and definitely the right thing to do it off-production hours, to be able to handle any unexpected issues. In multiple context you would need to run these commands in every context. The steps are right as it shoudl be, and I don't see anything wrong in it at all.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Tim Hamblin
Level 1
Level 1
In response to varrao

‎12-01-2011 02:33 AM

Thanks again Varun, don't know what I would do without you!!

0 Helpful

Go to solution
Tim Hamblin
Level 1
Level 1
In response to varrao

‎12-01-2011 02:35 AM

Varun,

So to confirm, the "no names" and "no nat-control" I need to do on both active and standby yes??? And for the 2nd network I need to do them for each context on each firewall???

Tim

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Tim Hamblin

‎12-01-2011 02:39 AM

Hey Tim,

I would also not be able to do anything without you (literally) , it's always good to help you as well. The no names and no nat-control just needs to be pushed on the active firewall and it would be replicated to the standby as well. In multiple context you need to do it in every context that you have created.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card