Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1310
Views
0
Helpful
2
Replies

Upgrading ASA cluster from 7.2 to 8.2 any problems known?

Go to solution
Alfred Berberich
Level 1
Level 1

ā€Ž08-20-2012 02:26 AM - edited ā€Ž03-11-2019 04:43 PM

Hallo

we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :

  • download asa8.2 Image to primary + secondary Firewall
  • reboot primary ( message come up " mate version ...)
  • reboot secondary

Does it works any experience ?

Does it work if both firewall can see each other during the boot process ?

or

Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?

Thanks for help

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

ā€Ž08-20-2012 03:41 AM

You can upgrade your cluster while both units are online. But you need do it with several steps as an upgrade from 7.2 to 8.2 is not directly supported. The process is described unter  "Performing Zero Downtime Upgrades for Failover Pairs":

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

ā€Ž08-20-2012 03:41 AM

You can upgrade your cluster while both units are online. But you need do it with several steps as an upgrade from 7.2 to 8.2 is not directly supported. The process is described unter  "Performing Zero Downtime Upgrades for Failover Pairs":

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Alfred Berberich
Level 1
Level 1
In response to Karsten Iwen

ā€Ž08-28-2012 12:42 AM

Hi

Already mentioned from Karsten , but I want to confirm it . here the way  what we did and what was working  :

You can jump straight from 7.2.5 to 8.2.5 with zero downtime.

However I would suggest you to perform the upgrade in a scheduled time window as the nodes will temporarily run different software versions during the upgrade process.

If you follow these steps you should be able to successfully carry out the upgrade with zero downtime:

1.Copy via tftp the image to the primary ASA and set the new image to be used

(for example: boot system disk0: /asa825-k8.bin)

2. Copy via tftp the image to the secondary ASA and set the new image to be used

3.On the active firewall run: failover reload-standby

When the standby unit has finished reloading, and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the following command on the active unit. Use the show failover command to verify that the standby unit is in the Standby Ready state.

4. Check the status of the secondary unit by ā€œshow failoverā€, when it will be in ā€œStandby Readyā€ state, run ā€œno failover activeā€ on the primary ASA to force a failover to the secondary firewall, which now will become active with the new software version.

5. Reload the primary firewall.

Reload the former active unit (now the new standby unit) by entering the following command:

6. When the primary is in the ā€œStandby Readyā€ state, issue the command ā€œno failover activeā€ on the secondary unit to put the primary unit back to the active state.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card