Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA pair 'Zero Downtime Upgrades for Failover Pairs' did not work for 7.2(1

Hi

We tried to upgrade two ASA from version 7.1(2) to 7.2(1).

We followed the docu 'http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398'

However after reloaded the backup ASA to run new image.

After bootup, this backup ASA's failover is automatically disabled:

asa# show failover

Failover Off (pseudo-Standby)

Failover unit Primary

Failover LAN Interface: Failover Management0/0 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 250 maximum

asa#

The active ASA shows:

Monitored Interfaces 8 of 250 maximum

Version: Ours 7.1(2), Mate 7.2(1)

Last Failover at: 13:19:08 SGT Jul 17 2006

This host: Secondary - Active

Active time: 521867 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)

Interface outside (203.127.164.50): Normal (Waiting)

Interface inside (10.217.213.190): Normal (Waiting)

Interface DMZ1 (203.127.164.1): Normal (Waiting)

Interface DMZ2 (203.127.164.129): Normal (Waiting)

slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(1p1)S205.0) status (Up/Up)

IPS, 5.1(1p1)S205.0, Up

Other host: Primary - Failed

Active time: 0 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.2(1)) status (Up Sys)

Interface outside (203.127.164.62): Unknown

Interface inside (10.217.213.185): Unknown

Interface DMZ1 (203.127.164.30): Unknown

Interface DMZ2 (203.127.164.254): Unknown

slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(1p1)S205.0) status (Up/Up)

IPS, 5.1(1p1)S205.0, Up

According to the docu, the backup ASA should go into standby-ready state, but it did not! Any clue?!!!

Thanks in advance!

6 REPLIES
Silver

Re: ASA pair 'Zero Downtime Upgrades for Failover Pairs' did not

Check the Failover configuration after upgrading is there or not.

New Member

Re: ASA pair 'Zero Downtime Upgrades for Failover Pairs' did not

Hi,

As stated in that document, "the two units in a failover configuration must have the same major (first number) and minor (second number) software version." So you're only half through your upgrade procedure, it is expected that failover won't resume until your versions are in sync (or at list major.minor match). Also make sure that your primary appliance is still configured to failover since the "pseudo-standby" state can be the result of a "no failover" replication.

Hope this helps; if it does please rate,

Regards

Simon Laurin

New Member

Re: ASA pair 'Zero Downtime Upgrades for Failover Pairs' did not

Hi

However in the docu, http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398

It means the new version V7, can support two firewalls running with different versions during upgrading. And this is why it is called 'zero downtime' upgrading.

The pair were configured with 'failover' and working fine. It became 'pseudo-standby" only after rebooting with the new firmware.

It seems the 'zero downtime' upgrading did not work.

Has anyone tested it?

Thanks

New Member

Re: ASA pair 'Zero Downtime Upgrades for Failover Pairs' did not

failover configuration must have the same major (first number) AND minor (second number) software version. your situation has different minor numbers.

also, you can only install different versions on the failover units if they are contiguous releases

New Member

Re: ASA pair 'Zero Downtime Upgrades for Failover Pairs' did not

thanks

Can you take a look at: http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398

It says the version 7 got this feature called 'zero downtime' upgrading.

Unless the docu is wrong?

Re: ASA pair 'Zero Downtime Upgrades for Failover Pairs' did not

Hi .. I have had a look at this doco and it clearly states

Performing Zero Downtime Upgrades for Failover Pairs

The two units in a failover configuration must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.

Note In Active/Active environments, make sure the pair is not oversubscribed with more than a 50% load on each pair member.

You can only install different versions on the failover units if they are contiguous releases, for example 7.0(1) and 7.0(2). You cannot upgrade one unit to 7.0(3) while the other unit is still 7.0(1).

... it sounds to me like the 'Zero downtime' only applies to upgrading to a CONTIGUOUS release which is not the case in your scenario. You really need to get them both to the latest version .. causing a brief downtime during the process ..

I hope it helps .. !!!

219
Views
3
Helpful
6
Replies