07-17-2006 02:59 AM - edited 02-21-2020 01:03 AM
Hi
We tried to upgrade two ASA from version 7.1(2) to 7.2(1).
We followed the docu 'http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398'
However after reloaded the backup ASA to run new image.
After bootup, this backup ASA's failover is automatically disabled:
asa# show failover
Failover Off (pseudo-Standby)
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
asa#
The active ASA shows:
Monitored Interfaces 8 of 250 maximum
Version: Ours 7.1(2), Mate 7.2(1)
Last Failover at: 13:19:08 SGT Jul 17 2006
This host: Secondary - Active
Active time: 521867 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)
Interface outside (203.127.164.50): Normal (Waiting)
Interface inside (10.217.213.190): Normal (Waiting)
Interface DMZ1 (203.127.164.1): Normal (Waiting)
Interface DMZ2 (203.127.164.129): Normal (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(1p1)S205.0) status (Up/Up)
IPS, 5.1(1p1)S205.0, Up
Other host: Primary - Failed
Active time: 0 (sec)
slot 0: ASA5520 hw/sw rev (1.1/7.2(1)) status (Up Sys)
Interface outside (203.127.164.62): Unknown
Interface inside (10.217.213.185): Unknown
Interface DMZ1 (203.127.164.30): Unknown
Interface DMZ2 (203.127.164.254): Unknown
slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(1p1)S205.0) status (Up/Up)
IPS, 5.1(1p1)S205.0, Up
According to the docu, the backup ASA should go into standby-ready state, but it did not! Any clue?!!!
Thanks in advance!
07-21-2006 06:16 AM
Check the Failover configuration after upgrading is there or not.
07-21-2006 07:25 AM
Hi,
As stated in that document, "the two units in a failover configuration must have the same major (first number) and minor (second number) software version." So you're only half through your upgrade procedure, it is expected that failover won't resume until your versions are in sync (or at list major.minor match). Also make sure that your primary appliance is still configured to failover since the "pseudo-standby" state can be the result of a "no failover" replication.
Hope this helps; if it does please rate,
Regards
Simon Laurin
07-21-2006 05:45 PM
Hi
However in the docu, http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398
It means the new version V7, can support two firewalls running with different versions during upgrading. And this is why it is called 'zero downtime' upgrading.
The pair were configured with 'failover' and working fine. It became 'pseudo-standby" only after rebooting with the new firmware.
It seems the 'zero downtime' upgrading did not work.
Has anyone tested it?
Thanks
07-22-2006 03:28 AM
failover configuration must have the same major (first number) AND minor (second number) software version. your situation has different minor numbers.
also, you can only install different versions on the failover units if they are contiguous releases
07-22-2006 07:24 AM
thanks
Can you take a look at: http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398
It says the version 7 got this feature called 'zero downtime' upgrading.
Unless the docu is wrong?
07-23-2006 02:22 AM
Hi .. I have had a look at this doco and it clearly states
Performing Zero Downtime Upgrades for Failover Pairs
The two units in a failover configuration must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.
Note In Active/Active environments, make sure the pair is not oversubscribed with more than a 50% load on each pair member.
You can only install different versions on the failover units if they are contiguous releases, for example 7.0(1) and 7.0(2). You cannot upgrade one unit to 7.0(3) while the other unit is still 7.0(1).
... it sounds to me like the 'Zero downtime' only applies to upgrading to a CONTIGUOUS release which is not the case in your scenario. You really need to get them both to the latest version .. causing a brief downtime during the process ..
I hope it helps .. !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide