cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1906
Views
5
Helpful
3
Replies

how to upgrade the asa5520?

julxu
Level 1
Level 1

I have two asa5520s and they are configured as active/active failover and multi-contents.

Now, I need upgrade their images. But, I find:

1. On the asa5520 which content admin is active, I can go to system by (changeto system) and I can upgrade the asa image and adsm image.

2. On the asa5520 which content admin is standby, I can not go to the system side,

my-asa5520-2/content2#changeto system

Command not valid in current execution space.

Could anyone advice me:

how can I upgrade the image for second box?

is my configuration of failover/multi-contents wrong? If so, how to configure the failover/multicontents to allow me able to go to system space on second box?

Any comments will be appreciated

Thanks in advance

1 Accepted Solution

Accepted Solutions

Yw ..

There is no shutdown command available on ASA. We would need to walkup to the device and manually power it off.

On step7, "can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?"

This will not work, because when ASA1 comes up, there would be a conflict as both are running on different version. It may cause other issues in the network thus I would not recommend doing so.

Hope that helps.

Regards,

Vibhor.

View solution in original post

3 Replies 3

vitripat
Level 7
Level 7

It could be a little confusing, but I'll try to make it simple.

Upgrading firewalls in Active/Active mode:

I would notife the two ASAs as following-

ASA1 (Admin context Active/Ctx1 context Standby)

ASA2 (Admin context Standby/Ctx1 context Active)

Assuming that both ASAs are running on 7.1.2 code.

So .. before starting the upgrade procedure, following is the status of the two ASAs:

ASA1 (Admin context Active/Ctx1 context Standby)

ASA2 (Admin context Standby/Ctx1 context Active)

Step 1) Login to the Admin context on ASA1 and copy the new image to flash.

Step 2) Move to the system execution space of ASA1 from Admin context and set the

image to use the newly copied image. DO NOT RELOAD THE ASA YET. Current state:

ASA1 (Admin context Active/Ctx1 context Standby) --> pointing to new image.

ASA2 (Admin context Standby/Ctx1 context Active)

Step 3) Move back to Admin context on ASA1 and fail this context to ASA2 using

"no failover active" command. Now the current state of ASAs is:

ASA1 (Admin context Standby/Ctx1 context Standby) --> pointing to new image.

ASA2 (Admin context Active/Ctx1 context Active)

Step 4) Shut down ASA1, do not reload, shutdown. Current state:

ASA1 (SHUTDOWN) --> pointing to new image.

ASA2 (Admin context Active/Ctx1 context Active)

Step 5) Login to the Admin context on ASA2 and copy the new image to flash.

Step 6) Move to the system execution space of ASA2 from Admin context and set the

image to use the newly copied image. DO NOT RELOAD THE ASA YET. Current state:

ASA1 (SHUTDOWN) --> pointing to new image.

ASA2 (Admin context Active/Ctx1 context Active) --> pointing to new image.

Step 7) Shutdown the ASA2 and power on ASA1. Current state:

ASA1 (BOOTING) --> pointing to new image.

ASA2 (SHUTDOWN) --> pointing to new image.

Step 8) Once the ASA1 has booted up, it will start using the new image. Current state:

ASA1 (Admin context Active/Ctx1 context Active) --> up with new image.

ASA2 (SHUTDOWN) --> pointing to new image.

Step 9) Now boot ASA2, once up, current state should be:

ASA1 (Admin context Active/Ctx1 context Active) --> up with new image.

ASA2 (Admin context Standby/Ctx1 context Standby) --> up with new image.

Both the ASAs have been upgraded successfully. Now if the Failover groups are configured with

"preempt" command, the failover group 2, will automatically become active on ASA2, if failover

group 2 is not configured with "preempt", we will need to manually failover ctx1 context from

ASA1 to ASA2.

Hope that helps.

Regards,

Vibhor.

Vibhor,

Great thanks for the procedure.

When you mean shutdown, it means going to the machine and manually power it off? Is there a shutdown cammnad I can use?

On the step 7, can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?

So, I can support the link connection for backend servers.

Please advice.

Yw ..

There is no shutdown command available on ASA. We would need to walkup to the device and manually power it off.

On step7, "can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?"

This will not work, because when ASA1 comes up, there would be a conflict as both are running on different version. It may cause other issues in the network thus I would not recommend doing so.

Hope that helps.

Regards,

Vibhor.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: