cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


221
Views
0
Helpful
5
Replies
Beginner

ASA Failover Pairs upgrade 9.1(7) to 9.4(4) with zero downtime

Hi all,

 

We need your suggestions on what are the best practices how to upgrade software of a Cisco ASA Failover Pair with zero downtime?

Options 1 : 9.1.(7)23-->9.2.(4)33-->9.3(3)-->9.4(4)34

Options 2 : 9.1.(7)23-->9.4(4)34  (is it possible upgrade with zero downtime?)

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Re: ASA Failover Pairs upgrade 9.1(7) to 9.4(4) with zero downtime

As long as you are running at least 9.1(3) you can upgrade directly from 9.1 to 9.4 with zero down-time.

Please see the release notes for 9.4:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#ID-2152-0000000a

Then follow this process:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

Personally I'd recommend going to the latest 9.8 interim release (currently 9.8(3)29) or even 9.8.4 since 9.4 is getting pretty old and will be end of support well before 9.8.

5 REPLIES 5
Frequent Contributor

Re: ASA Failover Pairs upgrade 9.1(7) to 9.4(4) with zero downtime

Looking at the release notes for your desired version -

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

 

From 9.1(2+) you can upgrade directly so option 2 looks feasible.

 

A failover pair can indeed be upgraded without downtime.

 

Depending if you are running active/active or active/failover the procedure may be slightly different in terms of steps, but the overall theme is the same. The following document should give you everything you need -

 

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

Beginner

Re: ASA Failover Pairs upgrade 9.1(7) to 9.4(4) with zero downtime

Hi Grant3779,

 

I saw these document before but I am confused.

I have a pair of ASA 5585-X in an active-standby failover config.

Currently they are running software version 9.1.7.

I'm looking to upgrade to 9.4.4. From the release notes I understand that in order to perform a "zero downtime"

upgrade I need to upgrade from the last minor release in a major release to the next major release.

Based on this, Is this correct ?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111867-asa-failover-upgrade.html#zerotime

the upgrade path should be : 9.1.7>9.2>9.3>9.4 

 

I know we can upgrade directly from 9.1.7 to 9.4.4, it is possible to perform a "zero downtime" ?

Don't we need to upgrade from last minor release to the next major release ??

 

Hall of Fame Master

Re: ASA Failover Pairs upgrade 9.1(7) to 9.4(4) with zero downtime

No, you don't need to upgrade from last minor release to the next major release.

The release notes do recommend this; but I have successfully upgraded hundreds of ASAs without doing so.

Beginner

Re: ASA Failover Pairs upgrade 9.1(7) to 9.4(4) with zero downtime

Hi Marvin,

 

your mean I can upgrade directly form 9.1 to 9.4 to achieving the zero down-time ?

I can't find any official document to verify this option on Cisco web site. Do you have any document to verify this?

I need to verify this because the service of customer can't be any interrupted.

 

Highlighted
Hall of Fame Master

Re: ASA Failover Pairs upgrade 9.1(7) to 9.4(4) with zero downtime

As long as you are running at least 9.1(3) you can upgrade directly from 9.1 to 9.4 with zero down-time.

Please see the release notes for 9.4:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#ID-2152-0000000a

Then follow this process:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

Personally I'd recommend going to the latest 9.8 interim release (currently 9.8(3)29) or even 9.8.4 since 9.4 is getting pretty old and will be end of support well before 9.8.