Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5550 zero downtime upgrade

Hi all,

I am currently writing up the procedure for doing this upgrade on our current firewalls (active/standby failover pair) and wanted to confirm a few things.

1     We are upgrading from 8.2(2) to 8.4(2) so need to run "no names" and "no nat-control" before upgrade to avoid any issues.  Will I need to do this on both active and standby? (I am presuming I will!!)

2     I will also be doing the same upgrade on another of our networks once this one is complete. Again we have a failover pair but they are running multiple contexts.  Are there any other issues I need to be aware of with this configuration?  Where should I run the above commands on a multi-context firewall etc?

The procedure I am intending to use is as follows:

     Backup configs

     Copy Files to both firewalls

     Set boot on both to new image

     Save changes!

     Reload Standby

     Once Standby is up do "no failover active" on Active

     Reload "Old" Active

     Once "Old" Active is up do "no failover active" on "Old" Standby

     Verify all is running as expected

     Save configs

     Redo "names" command

I have tested this on a single firewall but I have no failover pair to test on and would rather not have any surprises!!

I will, in all probability, be carrying out this change at 1am to avoid production hours, is there any advantage in doing it as a downtime upgrade (i.e. will it be simpler and less troublesome???).

Think thats everything!!!

Thanks in advance for any help!!

Tim

2 ACCEPTED SOLUTIONS

Accepted Solutions
Red

ASA5550 zero downtime upgrade

Hi Tim,

Your procedure is absolutely correct and definitely the right thing to do it off-production hours, to be able to handle any unexpected issues. In multiple context you would need to run these commands in every context. The steps are right as it shoudl be, and I don't see anything wrong in it at all.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Red

ASA5550 zero downtime upgrade

Hey Tim,

I would also not be able to do anything without you (literally) , it's always good to help you as well. The no names and no nat-control just needs to be pushed on the active firewall and it would be replicated to the standby as well. In multiple context you need to do it in every context that you have created.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
4 REPLIES
Red

ASA5550 zero downtime upgrade

Hi Tim,

Your procedure is absolutely correct and definitely the right thing to do it off-production hours, to be able to handle any unexpected issues. In multiple context you would need to run these commands in every context. The steps are right as it shoudl be, and I don't see anything wrong in it at all.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

ASA5550 zero downtime upgrade

Thanks again Varun, don't know what I would do without you!!

Community Member

ASA5550 zero downtime upgrade

Varun,

So to confirm, the "no names" and "no nat-control" I need to do on both active and standby yes??? And for the 2nd network I need to do them for each context on each firewall???

Tim

Red

ASA5550 zero downtime upgrade

Hey Tim,

I would also not be able to do anything without you (literally) , it's always good to help you as well. The no names and no nat-control just needs to be pushed on the active firewall and it would be replicated to the standby as well. In multiple context you need to do it in every context that you have created.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
258
Views
0
Helpful
4
Replies
CreatePlease to create content