Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with upgrading a 5520 in cluster with multiple contexts

Hi all,

First off all I will introduce myself. I'm Johnny Jonker and i'm a senior network engineer who focus himself on routing and switching (cisco) and security (Checkpoint, Fortigate).

Every now and then I have to face a customer who has ASA's as their primary firewalls, a product I don't have a broad knowledge from. Right at this moment there is a problem at one of those customers regarding an ASA5520 cluster with multiple contexts, and this is why.

The image that are on the ASA's is 8.4(1). The ASA's are directly facing the WWW and because of known exploits/bugs (Ddos) I wanted to perfrom an upgrade, in multiple steps, to the 9.1(2) image. My first step was to upgrade the devices towards 8.4(6) and make the step to 9.X from there on. I performed the following steps to do this:

-Copy the images form a TFTP server to disk0: on both hardware devices

-Changed the bootvar to point towards the new images.

-saved the changes to flash

-Gave the "failover reload-standby" command on the active unit

-Waited till the passive unit was standby and the active unit synch'ed his configuration

-Gave the "no failover active" command on the active unit.

-Logged in on the new active unit and gave the "failover reload-standby" command

-Waited till both devices were up and running with synch'ed configurations

When I gave the command (see red line) something strange happened. All of the interfaces were up and running, but the link between the 2 virtual firewalls/context weren't passing any traffic anymore. This virtual link is a transit link so no ACL's are performed on it or whatsoever. The only thing that is configured for it is a no-nat entry because of some links of webservers are the same on the internal LAN as on the WWW so they don't have to be NAT'ed to an outside IP.

When I enterd the realtime logging on the context wich is the first hop of the transit, I saw packets being dropped although there should be no ACL meddling with this traffic. Only thing I can think of is a spontaneous misconfiguration with NAT in combination with proxy-arp but there is no single clue which put me in that direction.

After a little while (late at night) I decided to do a rollback to the old-situation: 8.4(1). At first it seemed to be running stable again but after a little while the connections towards the second context started to go on and off. After logging on to one of the hardware devices through console I saw that the devices were constantly switching to active/passive and I had no idea were this came from. After a little while (after some adjustments) I came to the point that these symptoms seemed to be mitigated, but after a manual failover everything started over again.

So these are the 2 issues which i don't know where they come from in a nutshell:

-Can't update to newer IOS, because the virtual link between the contexts is dropping traffic although there's no filtering on it.

-When a failover happens, both hardwaredevices want to be the active one of the pair (i think)so they are constantly switching to active passive.

Thanks in advance!

PS: When you need the config please let me know which one: Context, system or admin.

CreatePlease login to create content