Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Upgrade ASA 5520 8.2 to newest version 9.1?

Hi All,

I have two ASA 5520's version 8.2 in active/standby mode. I want to upgrade them both to the newest version.

I know i can't directly upgrade to version 9.1. But can I jump straight to 8.4 then to 9.1? Do i have to upgrade 8.2 to 8.3 or worry about minor releases and stuff like that?

Also, what is the best method of doing this? Should i upgrade the standby ASA first to 8.4, reboot, then to 9.1, reboot?

Thanks!

Everyone's tags (3)
6 REPLIES
VIP Green

Upgrade ASA 5520 8.2 to newest version 9.1?

You would need to jump to 8.4 and then to 9.1.  here is a link on the upgrade path:

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp746094

This is not an easy thing to do depending on how many NAT statements you have.  Everything from 8.3 is based on group objects so make sure you have configured the new object groups and NAT statements before you start the migration.

For zero downtime, if you have an active / standby setup, then do the following:

1. upgrade the standby ASA

2. update your object groups, NAT and ACLs

3. initiate failover and monitor for connectivity issues.

4. once you are sure that you have minimal connectivity problems, upgrade the second ASA and update the object groups, NAT and ACLs.

Then initiate failover back to the original active ASA...if required.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Upgrade ASA 5520 8.2 to newest version 9.1?

Thank you for the information.

When I upgrade the standby ASA from 8.2 to 8.4 then 9.1, will this break the active/standy pair? Will i be able to still fail the active ASA (which would still be on the 8.2 version) to standy and the new standby becomes active even if the versions are different?

New Member

Upgrade ASA 5520 8.2 to newest version 9.1?

Hello,

while upgrading the IOS , u have to do the things in proper manner. As for synchronization between two ASA , IOS should be same.

1> Upload the IOS file to your secondary & Primary ASA.

2> Reload the Secondary ASA.

3> After reloading, when the ASA boots up , make the secondary ASA as Lan unit primary ( forceful mechanism )

4> Then  on primary ASA make LAN unit secondary ( forceful mechanism )

5> Reload the primary ASA

Thanks

VIP Green

Upgrade ASA 5520 8.2 to newest version 9.1?

The active and standby units should have the same major and minor software version.  However as of 8.3 an exception has been added for situations during upgrade that for the duration of the upgrade of the active standby pair, as long as they remain within the same major release the pair will remain in active standby.  I am not sure what will happen when you go to the next major release, but I am assuming that the active standby pair will be broken until both units are back on the same software version.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Upgrade ASA 5520 8.2 to newest version 9.1?

If the pair is broken, would I still be able to issue failover commands (failing active to standby, failing standby back to active,etc...?)

Also, if i'm going from 8.2 to 8.4 to 9.1, am i going to have to first upgrade the standby to 8.4 reboot, then upgrade to 9.1, reboot?

VIP Green

Upgrade ASA 5520 8.2 to newest version 9.1?

If the pair is broken, would I still be able to issue failover commands  (failing active to standby, failing standby back to active,etc...?)

From my understanding, as long as you are within the 8.x release of the ASA software you will be able to issue failover commands and replicate config between the two devices.  You will however se error messages stating that the versions are not the same.  I am uncertain what type of behavior you will see when when going to 9.1 as I have not had to upgrade to that version yet.

Also, if i'm going from 8.2 to 8.4 to 9.1, am i going to have to first  upgrade the standby to 8.4 reboot, then upgrade to 9.1, reboot?

The path I would recommend is to upgrade both units to 8.4 first and then to 9.1.  You also need to make sure that the ASAs have the correct amount of memory to support 8.3 and higher software.  So the steps would be something like this:

  1. check to see if the ASAs have the correct amount of memory. The 5520 requires 2GB of memory (upgrade memory if required)
  2. download 8.4 and 9.1 from cisco.com website and copy both to the ASA's flash
  3. upgrade the standby ASA version to 8.4 (boot system flash:)
  4. reboot the standby ASA
  5. When it comes up, make the necessary changes to the NAT and ACLs with regards to object group usage
  6. Make the Standby ASA the active firewall
  7. repeat steps 3 to 6
  8. upgrade the standby ASA version to 9.1
  9. reboot the standby ASA
  10. Make the standby ASA the active firewall
  11. upgrade the standby ASA version to 9.1
  12. Reboot the standby ASA
  13. Make the standby ASA active again, if required to maintain the original active ASA as active.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
15551
Views
15
Helpful
6
Replies