Re: ASA Firepower upgrade from FMC

D@1984 · ‎04-30-2019

Can someone please advise how I can upgrade firepower module on an active-active clustered ASA?

Do I have to disable cluster? or take one device off? also when choosing the device from FMC, can I choose to push update to both devices at the same time? or do I have to choose one at the time?

Thanks

Marvin Rhoads · ‎04-30-2019

Firepower service modules on FMC-managed ASAs operate independent of their parent ASAs' clustering or failover configurations. You can choose to upgrade them one at a time or in groups of your choosing.

D@1984 · ‎05-02-2019

Thanks, but wouldn't upgrading reboot the ASA? if it does, then the secondary ASA would become master

Marvin Rhoads · ‎05-02-2019

Upgrading (or even reimaging) a service module does not require rebooting the parent ASA.

If it's an HA pair, the ASA will by default monitor the service module status and switch an active unit to standby status (assuming the formerly standby unit was in Standby Ready state) when a module reloads. You can disable that behavior if you are OK with not having the service module available on your active unit.

D@1984 · ‎05-03-2019

Thanks, I'm just trying to understand the asa behaviour and im a bit confused. so I have 2 ASAs clustered (Security context mode: multiple ) with 2 sfr module - ssp-20:

#show cluster info

Cluster C: On
Interface mode: spanned

This is "ASA-1" in state MASTER
ID : 0
Version : 9.6(3)

Other members in the cluster:
Unit "ASA-2" in state SLAVE

ID : 1
Version : 9.6(3)

The cards are configured in monitor-only, fail-open. Now for upgrading to version 6 for example, devices will be rebooted. while module goes through upgrading, as all traffic are sent to the module, how asa behaves? will it pass traffic without inspection? or switch to slave asa?

Also is it possible to directly upgrade from 6.1 to 6.4?

Thanks

Marvin Rhoads · ‎05-03-2019

When upgrading Firepower on your 5585-X, only the SSP-20 Firepower service module reboots during the process.

By default the loss of a service module is a monitored resource for determining the eligibility of a cluster member (in the instance of a clustered ASA system) or HA member (in an Active-Standby or Active-Active High Availability pair) to be active. So the member would be removed from the cluster (or HA pair) and marked "down" until the module recovers.

You can disable that behavior as described here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200944-Disable-Service-Module-Monitoring-on-ASA.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/m4.html#pgfId-2123112

D@1984 · ‎05-07-2019

many thanks.

service module monitoring is already disabled on my firewall, do I also need to remove the module policy?

Thanks

Marvin Rhoads · ‎05-07-2019

There's no need to remove the module policy as long as it is fail-open (the most common option by far).

D@1984 · ‎06-10-2019

Hi, although i disabled health monitoring, the module upgrade still rebooted the ASA.

any advise?

Marvin Rhoads · ‎06-10-2019

I have never had a module upgrade reboot an ASA (and I have done over 100 of them).

Can you tell us the steps you took in more detail?

D@1984 · ‎06-11-2019

I did an upgrade from 5.4.1.1 to 6.0.0

I have two clustered ASAs, which I installed the upgrade to one device at the time through FMC.