07-29-2014 06:14 AM - edited 03-11-2019 09:33 PM
Hello,
with a NON zero downtime procedure upgrade all connections are lost, even nat and arp table ? here, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ha_overview.html#wp1078922, on Table 61-2 State Information I think it is only for plain failover but not for upgrade with a non zero downtime upgrade procedure.
Solved! Go to Solution.
07-29-2014 08:00 AM
Assuming you have a working HA pair with stateful failover, the Cisco supported answer is that you cannot skip minor releases (i.e. going from 9.1 directly to 9.3).
You CAN upgrade directly from 9.1(2) to 9.1(5) as that third ordinal (the number in parentheses) is known as the maintenance release level.
See table 1-6 in the Release notes for confirmation, excerpted here:
"You can upgrade from any maintenance release to any other maintenance release within a minor release.
For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between."
Note that 9.1(3) or later have some restrictions that are unique to those more recent code levels as some file system changes were put in place that requires certain prerequisites for a successful upgrade. Given that you are on 9.1(2) already that doesn't affect you in this case but it may be a consideration for other readers. Those requirements are noted just above Table 1-6 in those release notes.
07-29-2014 12:03 PM
There's a bug (CSCuh25271) you hit if you don't follow the required upgrade path that prevents you from being able to copy the new image onto flash.
It gives you the error of "Upgrade fails w/ msg "No Cfg structure found in downloaded image file."
If fails via both ftp (cli) and https (ASDM).
07-29-2014 06:55 AM
For non-zero downtime upgrades, all TCP connections will need to re-establish - as will xlate (NAT) table entries, the ARP cache, remote access VPN sessions, etc..
07-29-2014 07:43 AM
Thanks Marvin, can you also confirm that if I upgrade from 9.1.2 to 9.1.5 zero downtime procedure is not possible ? As I see it it would be possible from 9.1.2 to 9.1.3, the next minor release.
07-29-2014 08:00 AM
Assuming you have a working HA pair with stateful failover, the Cisco supported answer is that you cannot skip minor releases (i.e. going from 9.1 directly to 9.3).
You CAN upgrade directly from 9.1(2) to 9.1(5) as that third ordinal (the number in parentheses) is known as the maintenance release level.
See table 1-6 in the Release notes for confirmation, excerpted here:
"You can upgrade from any maintenance release to any other maintenance release within a minor release.
For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between."
Note that 9.1(3) or later have some restrictions that are unique to those more recent code levels as some file system changes were put in place that requires certain prerequisites for a successful upgrade. Given that you are on 9.1(2) already that doesn't affect you in this case but it may be a consideration for other readers. Those requirements are noted just above Table 1-6 in those release notes.
07-29-2014 10:31 AM
You are right sorry didn't read it accurately ..
.. what do you mean about some file system changes starting by 9.1(3) ?
07-29-2014 12:03 PM
There's a bug (CSCuh25271) you hit if you don't follow the required upgrade path that prevents you from being able to copy the new image onto flash.
It gives you the error of "Upgrade fails w/ msg "No Cfg structure found in downloaded image file."
If fails via both ftp (cli) and https (ASDM).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide