Solved: How to update an ASA 5510/20

William Coats · ‎12-26-2013

I have many ASA 5510 & 5520 that need updating and I have been trying to find a way to automate the process. Several of the devices are running in Active/Active mode(Primary is active and the Secondary is in Standby mode).

I have been looking through the ADSM features and I have found the auto update feature. This looks like a good way to go as it downloads the software to the primary and then transfers it to the secondary device. Then it performs the update 1 device at a time starting with the secondary device. But it says I need an update server to hold the new software and I am not sure how to set one up. I have a machine that has FileZilla server installed, but that uses FTP and the settings in auto update are looking for an HTTPS address.

The other option I havea available is Cisco Prime Infrastructure 2.0. I can use this to manage software but there isn't anything about how to use it with an ASA setup as a HA pair.

I could use any help you may have.

Marvin Rhoads · ‎12-27-2013

Cisco Security Manager is most typically used as an update server for large ASA deployments.

PI 2.0 is a bit rough around the edges on its ASA support and I would judge it not quite ready for that task. (That's even with the December 2013 update package that enhanced ASA support.)

Depending on your version levels, most people aren't comfortable with auto updating firewalls. Things changed significantly with post-8.2 and all of the migrations I have ever done of that (several dozen) involved manual verification of the new syntax and operations.

View solution in original post

Marvin Rhoads · ‎12-27-2013

Cisco Security Manager is most typically used as an update server for large ASA deployments.

PI 2.0 is a bit rough around the edges on its ASA support and I would judge it not quite ready for that task. (That's even with the December 2013 update package that enhanced ASA support.)

Depending on your version levels, most people aren't comfortable with auto updating firewalls. Things changed significantly with post-8.2 and all of the migrations I have ever done of that (several dozen) involved manual verification of the new syntax and operations.

William Coats · ‎12-30-2013

I was afraid it would take something different from Cisco to do what I wanted. I was just hoping I could find away not to have to due updates on the weekend.

I only have 1 ASA that hasn't already been updated past 8.2 and that 1 unit doesn't have any NAT statements on it. Hopefully that update won't go to badly. It is over in Asia so maybe I can get permission to update this 1 during my Friday work day.

If would be really nice if Cisco would add an update feature like the Nexus switches have for telling you about potential problems you might encounter prior to starting an update.

Thanksfor the help.

Marvin Rhoads · ‎12-30-2013

You're welcome.

The Cisco elves are working on an offline ASA migration tool that can be shared publicly. Many customers and partners have asked for it and we hope to see it during 1H CY 2014.

Right now you only get a log file on the ASA that the parser generates when loading and converting the syntax. If you have the luxury of a lab ASA matching your production ASA you can load your production configuration on there to generate the log file.