Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2331
Views
0
Helpful
5
Replies

ASA Failover Pairs upgrade 9.1(7) to 9.4(4) with zero downtime

Go to solution
Arvin.hsu
Level 1
Level 1

‎05-01-2019 08:17 AM

Hi all,

 

We need your suggestions on what are the best practices how to upgrade software of a Cisco ASA Failover Pair with zero downtime?

Options 1 : 9.1.(7)23-->9.2.(4)33-->9.3(3)-->9.4(4)34

Options 2 : 9.1.(7)23-->9.4(4)34  (is it possible upgrade with zero downtime?)

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Arvin.hsu

‎05-06-2019 02:06 AM

As long as you are running at least 9.1(3) you can upgrade directly from 9.1 to 9.4 with zero down-time.

Please see the release notes for 9.4:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#ID-2152-0000000a

Then follow this process:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

Personally I'd recommend going to the latest 9.8 interim release (currently 9.8(3)29) or even 9.8.4 since 9.4 is getting pretty old and will be end of support well before 9.8.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
GRANT3779
Spotlight
Spotlight

‎05-01-2019 09:10 AM

Looking at the release notes for your desired version -

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

 

From 9.1(2+) you can upgrade directly so option 2 looks feasible.

 

A failover pair can indeed be upgraded without downtime.

 

Depending if you are running active/active or active/failover the procedure may be slightly different in terms of steps, but the overall theme is the same. The following document should give you everything you need -

 

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

0 Helpful

Go to solution
Arvin.hsu
Level 1
Level 1
In response to GRANT3779

‎05-01-2019 06:24 PM

Hi Grant3779,

 

I saw these document before but I am confused.

I have a pair of ASA 5585-X in an active-standby failover config.

Currently they are running software version 9.1.7.

I'm looking to upgrade to 9.4.4. From the release notes I understand that in order to perform a "zero downtime"

upgrade I need to upgrade from the last minor release in a major release to the next major release.

Based on this, Is this correct ?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111867-asa-failover-upgrade.html#zerotime

the upgrade path should be : 9.1.7>9.2>9.3>9.4 

 

I know we can upgrade directly from 9.1.7 to 9.4.4, it is possible to perform a "zero downtime" ?

Don't we need to upgrade from last minor release to the next major release ??

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Arvin.hsu

‎05-01-2019 07:48 PM

No, you don't need to upgrade from last minor release to the next major release.

The release notes do recommend this; but I have successfully upgraded hundreds of ASAs without doing so.

0 Helpful

Go to solution
Arvin.hsu
Level 1
Level 1
In response to Marvin Rhoads

‎05-05-2019 10:47 PM - edited ‎05-05-2019 10:49 PM

Hi Marvin,

 

your mean I can upgrade directly form 9.1 to 9.4 to achieving the zero down-time ?

I can't find any official document to verify this option on Cisco web site. Do you have any document to verify this?

I need to verify this because the service of customer can't be any interrupted.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Arvin.hsu

‎05-06-2019 02:06 AM

As long as you are running at least 9.1(3) you can upgrade directly from 9.1 to 9.4 with zero down-time.

Please see the release notes for 9.4:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#ID-2152-0000000a

Then follow this process:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

Personally I'd recommend going to the latest 9.8 interim release (currently 9.8(3)29) or even 9.8.4 since 9.4 is getting pretty old and will be end of support well before 9.8.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card