ASA 5585-x +Firepower Module code upgrade process

prashant dwivedi · ‎04-28-2016

Guys,

anyone has Firewall 5585 running in cluster code upgrade process, i want same for the Cisco Firepower Module as well?

will this process at all interrupt to the data traffic ?

Thanks,

Prashant

nspasov · ‎05-02-2016

Hello Prashant-

Please take a look at the following link that will walk you through the steps on how to perform "hitless' upgrade.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/upgrade/upgrade93.html#73685

I hope this helps!

Thank you for rating helpful posts!

Marvin Rhoads · ‎05-02-2016

The FirePOWER modules have no awareness of the clustering among the ASAs. When you upgrade a FirePOWER module it will by default nark that cluster member as not eligible to receive traffic until the module is back online.

You can override that as of 9.5 by telling the ASAs not to monitor service modules. If you did so and had the sfr module set to "fail open" then your module upgrade impact would be minimized from a module perspective.

However you would then not be availing yourself of the protection built into an ASA cluster. Some would argue that it's better to let a member unit "fail" during the module upgrade so that the cluster can operate as intended and let another member take up the load.