Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is A NonDisruptive System/Signature Upgrade Possible?

Reading the config guides I can't seem to accept that my colleague is correct in saying its possible to do a non disruptive system/signature upgrade on an ASA 5520 with an AIP-SSM-10 module.

Can you do a nondisruptive system/signature upgrade?

Cisco Employee

Re: Is A NonDisruptive System/Signature Upgrade Possible?

Short answer...depends on your definitions of non-disruptive and system.

A more useful answer is that a signature update is designed to be as non-disruptive as possible to sensing. That is, traffic will continue to flow and sensing will continue to happen to as much extent as possible. It is possible that the signature update could siphon off enough processing power to start affecting sensing. If this happens, the sensor can cut in an auto bypass feature (configurable) to unload the CPU enough to get the update finished. Traffic will continue to flow, but sensing would be disrupted momentarily. When the update finishes the bypass is removed and sensing will recover.

A system update (defined as an Engine Update, Service Pack, Minor, or Major release) will have a greater level of disruptive impact. An Engine Update will invoke bypass and stop sensing activity while the sensing binary (sensorApp) is replaced and restarted. Traffic will flow via the bypass until sensorApp is restarted and then sensing will continue. Service Packs and higher typically have to invoke a system reboot, which will disrupt traffic in the lower performance sensors. The two newest sensors (4260 and 4270) have hardware bypass on the Cu NICs and can invoke that bypass to keep traffic flowing if the network design is correct (inline interface pairs on the same interface card).