Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA non zero downtime upgrade

Hello,

with a NON zero downtime procedure upgrade all connections are lost, even nat and arp table ? here, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ha_overview.html#wp1078922, on Table 61-2 State Information I think it is only for plain failover but not for upgrade with a non zero downtime upgrade procedure.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Assuming you have a working

Assuming you have a working HA pair with stateful failover, the Cisco supported answer is that you cannot skip minor releases (i.e. going from 9.1 directly to 9.3).

You CAN upgrade directly from 9.1(2) to 9.1(5) as that third ordinal (the number in parentheses) is known as the maintenance release level.

See table 1-6 in the Release notes for confirmation, excerpted here:

"You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between."

Note that 9.1(3) or later have some restrictions that are unique to those more recent code levels as some file system changes were put in place that requires certain prerequisites for a successful upgrade. Given that you are on 9.1(2) already that doesn't affect you in this case but it may be a consideration for other readers. Those requirements are noted just above Table 1-6 in those release notes.

Hall of Fame Super Silver

There's a bug (CSCuh25271)

There's a bug (CSCuh25271) you hit if you don't follow the required upgrade path that prevents you from being able to copy the new image onto flash.

It gives you the error of "Upgrade fails w/ msg "No Cfg structure found in downloaded image file."

If fails via both ftp (cli) and https (ASDM).

5 REPLIES
Hall of Fame Super Silver

For non-zero downtime

For non-zero downtime upgrades, all TCP connections will need to re-establish - as will xlate (NAT) table entries, the ARP cache, remote access VPN sessions, etc..

New Member

Thanks Marvin, can you also

Thanks Marvin, can you also confirm that if I upgrade from 9.1.2 to 9.1.5 zero downtime procedure is not possible ? As I see it it would be possible from 9.1.2 to 9.1.3, the next minor release.

Hall of Fame Super Silver

Assuming you have a working

Assuming you have a working HA pair with stateful failover, the Cisco supported answer is that you cannot skip minor releases (i.e. going from 9.1 directly to 9.3).

You CAN upgrade directly from 9.1(2) to 9.1(5) as that third ordinal (the number in parentheses) is known as the maintenance release level.

See table 1-6 in the Release notes for confirmation, excerpted here:

"You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between."

Note that 9.1(3) or later have some restrictions that are unique to those more recent code levels as some file system changes were put in place that requires certain prerequisites for a successful upgrade. Given that you are on 9.1(2) already that doesn't affect you in this case but it may be a consideration for other readers. Those requirements are noted just above Table 1-6 in those release notes.

New Member

You are right sorry didn't

You are right sorry didn't read it accurately sad..

 

.. what do you mean about some file system changes starting by 9.1(3) ?

Hall of Fame Super Silver

There's a bug (CSCuh25271)

There's a bug (CSCuh25271) you hit if you don't follow the required upgrade path that prevents you from being able to copy the new image onto flash.

It gives you the error of "Upgrade fails w/ msg "No Cfg structure found in downloaded image file."

If fails via both ftp (cli) and https (ASDM).

302
Views
0
Helpful
5
Replies