Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA migration from 8.2 to 8.4 (active/standby) without outage

Hi there .... I need to upgrade a pair (active/standby) of ASA from 8.2.5 to 8.4.3 ... I have a script created to modify all NAT rules I need, and I have tested it in lab, and I think I'm good with it.

Now, I want to figure out if there's a way to do this without an outage. Previously, when configuration were compatible between version, there was no problem. You could usually force secondary unit to be active, upgrade primary (rebooting), making primary the active again, and do the upgrade on secondary ... no outage at all

Now, as new software doesn't support old configuration, if I follow that process, as soon as I bring primary up with new software, it will try to get the configuration from the active one, which won't work ... Is there another option than having a short outage (turn off secondary acting as active, while primary is coming back with new software and configuration already changed?)


Super Bronze

ASA migration from 8.2 to 8.4 (active/standby) without outage


I've wondered the same thing. I haven't had time to lab the process yet though.

We have some bigger customers that will eventually be facing this upgrade on their failover pairs. Luckily we've been doing alot of replacing firewall hardware so we have been able to just transfer customers behind ready 8.4 software failover pairs from old hardware.

So have you actually tested upgrading one ASA to 8.4 while having the other one connected on 8.2 software? Has the failover gone/stayed down after the reload? Has the 8.4 software ASA received all the xlate/connection information from the 8.2 ASA after the reload?

Personally I'm thinking that I will probably just remove the standby pair from the network, wipe the configuration, upgrade the software, drop the configurations and replace the 8.2 ASA with the updated one by just physically changing the cables. After that just update the old ASA and configure it with failover configurations and let it load the configurations from the new Primary unit.

Though I think I will still lab the update process myself. I will reply here with my results if I do go through with it.

Hall of Fame Super Silver

ASA migration from 8.2 to 8.4 (active/standby) without outage

Just follow the upgrade guide in the release notes. It is a zero downtime process. I've done it several times. The standby unit (upgraded first) will parse and convert the primary unit's configuration syntax as necessary when it syncs.

Super Bronze

ASA migration from 8.2 to 8.4 (active/standby) without outage


The fact that ASA does the change of configuration format from 8.2 -> 8.4 is enough reason for me to just manually rewrite the whole configuration.

Mostly the reasons are cosmetic for me. I want to name all the "objects" myself. Though theres ofcourse the option of renaming the object after the update also.

I'm not sure though if the ASA creates any object-groups during the change since those you can rename on the fly.

CreatePlease to create content