04-30-2019 04:48 AM - edited 02-21-2020 09:05 AM
Can someone please advise how I can upgrade firepower module on an active-active clustered ASA?
Do I have to disable cluster? or take one device off? also when choosing the device from FMC, can I choose to push update to both devices at the same time? or do I have to choose one at the time?
Thanks
04-30-2019 07:18 AM
Firepower service modules on FMC-managed ASAs operate independent of their parent ASAs' clustering or failover configurations. You can choose to upgrade them one at a time or in groups of your choosing.
05-02-2019 03:47 AM
Thanks, but wouldn't upgrading reboot the ASA? if it does, then the secondary ASA would become master
05-02-2019 08:12 AM
Upgrading (or even reimaging) a service module does not require rebooting the parent ASA.
If it's an HA pair, the ASA will by default monitor the service module status and switch an active unit to standby status (assuming the formerly standby unit was in Standby Ready state) when a module reloads. You can disable that behavior if you are OK with not having the service module available on your active unit.
05-03-2019 04:47 AM
Thanks, I'm just trying to understand the asa behaviour and im a bit confused. so I have 2 ASAs clustered (Security context mode: multiple ) with 2 sfr module - ssp-20:
#show cluster info
Cluster C: On
Interface mode: spanned
This is "ASA-1" in state MASTER
ID : 0
Version : 9.6(3)
Other members in the cluster:
Unit "ASA-2" in state SLAVE
ID : 1
Version : 9.6(3)
The cards are configured in monitor-only, fail-open. Now for upgrading to version 6 for example, devices will be rebooted. while module goes through upgrading, as all traffic are sent to the module, how asa behaves? will it pass traffic without inspection? or switch to slave asa?
Also is it possible to directly upgrade from 6.1 to 6.4?
Thanks
05-03-2019 08:12 AM
When upgrading Firepower on your 5585-X, only the SSP-20 Firepower service module reboots during the process.
By default the loss of a service module is a monitored resource for determining the eligibility of a cluster member (in the instance of a clustered ASA system) or HA member (in an Active-Standby or Active-Active High Availability pair) to be active. So the member would be removed from the cluster (or HA pair) and marked "down" until the module recovers.
You can disable that behavior as described here:
05-07-2019 07:51 AM
many thanks.
service module monitoring is already disabled on my firewall, do I also need to remove the module policy?
Thanks
05-07-2019 07:05 PM
There's no need to remove the module policy as long as it is fail-open (the most common option by far).
06-10-2019 01:42 AM
Hi, although i disabled health monitoring, the module upgrade still rebooted the ASA.
any advise?
06-10-2019 08:17 AM
I have never had a module upgrade reboot an ASA (and I have done over 100 of them).
Can you tell us the steps you took in more detail?
06-11-2019 02:24 AM
I did an upgrade from 5.4.1.1 to 6.0.0
I have two clustered ASAs, which I installed the upgrade to one device at the time through FMC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide