I have always only done it in stateful, not stateless mode. Just to be clear, by "stateful," I mean that when failover occurs it maintains the state of the TCP, UDP, ESP, etc sessions that are in place without disruption. My question is whether or not I can do that while upgrading directly from 9.4 to 9.9. I would love to be pointed to some official Cisco documentation that addresses that exact question, if such a document exists.

For the record, here is my failover configuration:

failover
failover lan unit primary
failover lan interface fo GigabitEthernet0/7
failover polltime unit 1 holdtime 5
failover key *****
failover replication http
failover link fo GigabitEthernet0/7
failover interface ip fo 1.1.1.245 255.255.255.252 standby 1.1.1.246

Hi

May i know if you still achieve a zero downtime (TCP sessions not dropped) when you upgraded from 9.4 directly to 9.9? I'm planning to upgrade from 9.6(4)8 to 9.9.2 directly.

I never did. We're still at 9.4.x and I've just been doing the incremental security updates. It's still a “suggested release” on Cisco's ASA software page.

you can upgrade from 9.4.x to 9.9x

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html

Yes your config is correct.

failover
failover lan unit primary
failover lan interface fo GigabitEthernet0/7
failover polltime unit 1 holdtime 5
failover key *****
failover replication http
failover link fo GigabitEthernet0/7
failover interface ip fo 1.1.1.245 255.255.255.252 standby 1.1.1.246

 also make sure you secondary box. the other asa have the following config.

failover
failover lan unit secondary
failover lan interface fo GigabitEthernet0/7
failover polltime unit 1 holdtime 5
failover key *****
failover replication http
failover link fo GigabitEthernet0/7
failover interface ip fo 1.1.1.245 255.255.255.252 standby 1.1.1.246

also bear in mind if you have a sub-interface on these firewall than you have to add them in monitor purpose

monitor-interface gigx.xxx

 having said that. normal interface the one do not have a sub-interface are automatically added as monitor interface. than its depends which interface you want to monitor for failover.

I know my configuration is correct--I wasn't asking for clarification on that. I was asking if anybody knows if you can upgrade from 9.4.4 to 9.9.x, which apparently nobody does.

here is the cisco upgrade path recommendation.

seems you can easy do a upgrade to new version.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html

Here an official upgrade guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

To summarize, upgrade for failover asa is straight forward:

- copy new image to active and standby devices.

- change the boot config to boot using new image.

- reload standby with the new image. 

- when reloaded, force a failover from active to new reloaded standby.

- reload old active with new software.

- force back active role if you want.

during this process when you reload the standby firewall with new image it will come online. and it will tell you its version does not match with peer ASA.

this is explained in previous thread. 

the link you shared i have used in past. its very accurate you can follow the same process. there will be no downtime to your network. 

here is the link 

Release Notes for the Cisco ASA Series, 9.9(x)

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html

you can go from 9.6 to 9.9

My personal frustration is that there is no single document that indicates both a zero-downtime upgrade AND version-specific info in regards to 9.x upgrades beyond a "point one" version. The one you sent a few times indicates one can upgrade from 9.4 to 9.9 (as well as a whole bunch of other options in the grid), but it does not indicate zero downtime during that upgrade. Anyway, I'll eventually just have to bite the bullet when Cisco discontinues support for 9.4.x, but until then, I'm in no rush. I wish I had a spare failover pair, but we don't have that luxury (I do have spare 5510 ASAs, but those won't run anything newer than 9.1).

i have some spare box 5516-x i shall check and let you know if there is a jump available in 9.4 to 9.9