Re: Is A NonDisruptive System/Signature Upgrade Possible?
Short answer...depends on your definitions of non-disruptive and system.
A more useful answer is that a signature update is designed to be as non-disruptive as possible to sensing. That is, traffic will continue to flow and sensing will continue to happen to as much extent as possible. It is possible that the signature update could siphon off enough processing power to start affecting sensing. If this happens, the sensor can cut in an auto bypass feature (configurable) to unload the CPU enough to get the update finished. Traffic will continue to flow, but sensing would be disrupted momentarily. When the update finishes the bypass is removed and sensing will recover.
A system update (defined as an Engine Update, Service Pack, Minor, or Major release) will have a greater level of disruptive impact. An Engine Update will invoke bypass and stop sensing activity while the sensing binary (sensorApp) is replaced and restarted. Traffic will flow via the bypass until sensorApp is restarted and then sensing will continue. Service Packs and higher typically have to invoke a system reboot, which will disrupt traffic in the lower performance sensors. The two newest sensors (4260 and 4270) have hardware bypass on the Cu NICs and can invoke that bypass to keep traffic flowing if the network design is correct (inline interface pairs on the same interface card).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...