Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
0
Helpful
5
Replies

Cisco ASA non zero downtime upgrade

Go to solution
giuseppe parlato
Level 1
Level 1

‎07-29-2014 06:14 AM - edited ‎03-11-2019 09:33 PM

Hello,

with a NON zero downtime procedure upgrade all connections are lost, even nat and arp table ? here, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ha_overview.html#wp1078922, on Table 61-2 State Information I think it is only for plain failover but not for upgrade with a non zero downtime upgrade procedure.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giuseppe parlato

‎07-29-2014 08:00 AM

Assuming you have a working HA pair with stateful failover, the Cisco supported answer is that you cannot skip minor releases (i.e. going from 9.1 directly to 9.3).

You CAN upgrade directly from 9.1(2) to 9.1(5) as that third ordinal (the number in parentheses) is known as the maintenance release level.

See table 1-6 in the Release notes for confirmation, excerpted here:

"You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between."

Note that 9.1(3) or later have some restrictions that are unique to those more recent code levels as some file system changes were put in place that requires certain prerequisites for a successful upgrade. Given that you are on 9.1(2) already that doesn't affect you in this case but it may be a consideration for other readers. Those requirements are noted just above Table 1-6 in those release notes.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giuseppe parlato

‎07-29-2014 12:03 PM

There's a bug (CSCuh25271) you hit if you don't follow the required upgrade path that prevents you from being able to copy the new image onto flash.

It gives you the error of "Upgrade fails w/ msg "No Cfg structure found in downloaded image file."

If fails via both ftp (cli) and https (ASDM).

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-29-2014 06:55 AM

For non-zero downtime upgrades, all TCP connections will need to re-establish - as will xlate (NAT) table entries, the ARP cache, remote access VPN sessions, etc..

0 Helpful

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Marvin Rhoads

‎07-29-2014 07:43 AM

Thanks Marvin, can you also confirm that if I upgrade from 9.1.2 to 9.1.5 zero downtime procedure is not possible ? As I see it it would be possible from 9.1.2 to 9.1.3, the next minor release.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giuseppe parlato

‎07-29-2014 08:00 AM

Assuming you have a working HA pair with stateful failover, the Cisco supported answer is that you cannot skip minor releases (i.e. going from 9.1 directly to 9.3).

You CAN upgrade directly from 9.1(2) to 9.1(5) as that third ordinal (the number in parentheses) is known as the maintenance release level.

See table 1-6 in the Release notes for confirmation, excerpted here:

"You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between."

Note that 9.1(3) or later have some restrictions that are unique to those more recent code levels as some file system changes were put in place that requires certain prerequisites for a successful upgrade. Given that you are on 9.1(2) already that doesn't affect you in this case but it may be a consideration for other readers. Those requirements are noted just above Table 1-6 in those release notes.

0 Helpful

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Marvin Rhoads

‎07-29-2014 10:31 AM

You are right sorry didn't read it accurately sad..

 

.. what do you mean about some file system changes starting by 9.1(3) ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giuseppe parlato

‎07-29-2014 12:03 PM

There's a bug (CSCuh25271) you hit if you don't follow the required upgrade path that prevents you from being able to copy the new image onto flash.

It gives you the error of "Upgrade fails w/ msg "No Cfg structure found in downloaded image file."

If fails via both ftp (cli) and https (ASDM).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card