ASA 5520 HA Upgrade from 8.2(5) to 8.4(7)

Christine_Lane · ‎10-13-2016

We have a pair of 5520's running 8.2(5) in Active/Standby mode and we want to upgrade to version 8.4(7). Due to the number and complexity of the NAT statements we have elected to re-construct the NAT statements by hand.

With the Primary unit active we removed the NAT statements from the Secondary (standby) unit, adjusted the boot parameter to boot to 8.4(7) and reloaded.

When the Secondary (standby) ASA powered on it pulled the old config from the Primary (active) and proceeded to perform the upgrade conversion. At that point we rolled back to the 8.2(5) release and config.

It is my understanding that the ASA would not form a failover pair if the firmware versions are different but it did nonetheless.

What is the proper procedure for upgrading the ASA's 8.4 with manual modification to the config? Do we need to break the HA pair and perform the work on one and then the other? Should we convert the Primary first while the Standby is active and then convert the Standby?

This is a 24x7 shop so downtime has to be minimized.

Thanks.

Aditya Ganjoo · ‎10-13-2016

Hi Christine,

The correct upgrade path is first go to 8.4.5 and then move to 8.4.7.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-640289

Also you can go ahead and upgrade first the standby device to the new code, make it active and then do the same process on the former active ASA.

This will minimize the downtime in the setup.

Failover will still work so shouldn't be an issue.

Regards,

Aditya

Please rate helpful posts and mark correct answers.