Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

upgrade firewall software in failover pair

I need to upgrade two firewalls (in failover pair) remotely. Could somene tell me what is the way to go forward? Do I need to worry about licenses and stuff?

Thanks,

Kashish

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: upgrade firewall software in failover pair

Since you are running dynamic routing protocols, the routing instand is only active on the primary active firewall, not both. That's the reason why you can't access the tftp server on the standby unit.

What you can do is upload the image to the primary active ASA, then failover the firewall to the secondary standby ASA. Once the secondary ASA becomes the Active ASA, then you can upload the image to this ASA.

Since you can only access the active unit, once you have configured the boot system with the new image, and save the config, then you can reload the ASA one at the time.

Reload the secondary after you have uploaded the image, this will cause failover to the primary. Monitor the status of secondary by issueing "show failover", and once the secondary is up, and the software has been upgraded, then you can reload the primary active unit.

8 REPLIES
Super Bronze

upgrade firewall software in failover pair

Here is the configuration guide to upgrade firewall in failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398

If you are just performing the upgrade on the existing failover pair, then nothing to worry about licensing.

What version are you currently running and what you are going to upgrade it to? With ASA version 8.2 and above, there is requirement for more memory if you don't already have them. And with ASA version 8.3 and above, there are lots of changes to the configuration, ie: ACL, NAT

New Member

upgrade firewall software in failover pair

Jennifer,

first step in the guide says : "

Download the new software to both units, and specify the new image to load with the

boot system

command"

I cannot ssh to the secondary firewall unit. Will I be able to download image to it if it is in secondary state?

I am upgrading from 8.2(2)16 to 8.4(4)1.

Thanks,

Super Bronze

upgrade firewall software in failover pair

You can download the image when it is in secondary/standby state. You would need network connectivity to the secondary firewall however, whether it is SSH, telnet or ASDM to download the image.

And i am assuming that you are aware of the new changes to configuration on version 8.4.4, right?

here is the release notes for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

New Member

upgrade firewall software in failover pair

Yes I am aware of changes that 8.4.4 will bring.

Problem is I cannot ping tftp server from secondary unit.

fw1# sh failover

Failover On

Failover unit Secondary

fw1# ping 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1

, timeout is 2 seconds:

No route to host 10.10.10.1

Success rate is 0 percent (0/1)

Super Bronze

upgrade firewall software in failover pair

Can you please share your configuration.

Show failover

show run interface

show route

on both ASA. Thanks.

New Member

upgrade firewall software in failover pair

Jennifer,

I just sent you the outputs in a private message.

Thanks.

Super Bronze

Re: upgrade firewall software in failover pair

Since you are running dynamic routing protocols, the routing instand is only active on the primary active firewall, not both. That's the reason why you can't access the tftp server on the standby unit.

What you can do is upload the image to the primary active ASA, then failover the firewall to the secondary standby ASA. Once the secondary ASA becomes the Active ASA, then you can upload the image to this ASA.

Since you can only access the active unit, once you have configured the boot system with the new image, and save the config, then you can reload the ASA one at the time.

Reload the secondary after you have uploaded the image, this will cause failover to the primary. Monitor the status of secondary by issueing "show failover", and once the secondary is up, and the software has been upgraded, then you can reload the primary active unit.

New Member

upgrade firewall software in failover pair

Thanks Jennifer. I was able to upgrade ASAs successfully.

814
Views
0
Helpful
8
Replies