Can someone please advise how I can upgrade firepower module on an active-active clustered ASA?
Do I have to disable cluster? or take one device off? also when choosing the device from FMC, can I choose to push update to both devices at the same time? or do I have to choose one at the time?
Firepower service modules on FMC-managed ASAs operate independent of their parent ASAs' clustering or failover configurations. You can choose to upgrade them one at a time or in groups of your choosing.
Upgrading (or even reimaging) a service module does not require rebooting the parent ASA.
If it's an HA pair, the ASA will by default monitor the service module status and switch an active unit to standby status (assuming the formerly standby unit was in Standby Ready state) when a module reloads. You can disable that behavior if you are OK with not having the service module available on your active unit.
Thanks, I'm just trying to understand the asa behaviour and im a bit confused. so I have 2 ASAs clustered (Security context mode: multiple ) with 2 sfr module - ssp-20:
#show cluster info
Cluster C: On
Interface mode: spanned
This is "ASA-1" in state MASTER
ID : 0
Version : 9.6(3)
Other members in the cluster:
Unit "ASA-2" in state SLAVE
ID : 1
Version : 9.6(3)
The cards are configured in monitor-only, fail-open. Now for upgrading to version 6 for example, devices will be rebooted. while module goes through upgrading, as all traffic are sent to the module, how asa behaves? will it pass traffic without inspection? or switch to slave asa?
Also is it possible to directly upgrade from 6.1 to 6.4?
When upgrading Firepower on your 5585-X, only the SSP-20 Firepower service module reboots during the process.
By default the loss of a service module is a monitored resource for determining the eligibility of a cluster member (in the instance of a clustered ASA system) or HA member (in an Active-Standby or Active-Active High Availability pair) to be active. So the member would be removed from the cluster (or HA pair) and marked "down" until the module recovers.
You can disable that behavior as described here:
I have never had a module upgrade reboot an ASA (and I have done over 100 of them).
Can you tell us the steps you took in more detail?
I did an upgrade from 220.127.116.11 to 6.0.0
I have two clustered ASAs, which I installed the upgrade to one device at the time through FMC.