cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25397
Views
35
Helpful
10
Replies

Upgrade ASA 5520 8.2 to newest version 9.1?

edgarcparra
Level 1
Level 1

Hi All,

I have two ASA 5520's version 8.2 in active/standby mode. I want to upgrade them both to the newest version.

I know i can't directly upgrade to version 9.1. But can I jump straight to 8.4 then to 9.1? Do i have to upgrade 8.2 to 8.3 or worry about minor releases and stuff like that?

Also, what is the best method of doing this? Should i upgrade the standby ASA first to 8.4, reboot, then to 9.1, reboot?

Thanks!

10 Replies 10

You would need to jump to 8.4 and then to 9.1.  here is a link on the upgrade path:

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp746094

This is not an easy thing to do depending on how many NAT statements you have.  Everything from 8.3 is based on group objects so make sure you have configured the new object groups and NAT statements before you start the migration.

For zero downtime, if you have an active / standby setup, then do the following:

1. upgrade the standby ASA

2. update your object groups, NAT and ACLs

3. initiate failover and monitor for connectivity issues.

4. once you are sure that you have minimal connectivity problems, upgrade the second ASA and update the object groups, NAT and ACLs.

Then initiate failover back to the original active ASA...if required.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Thank you for the information.

When I upgrade the standby ASA from 8.2 to 8.4 then 9.1, will this break the active/standy pair? Will i be able to still fail the active ASA (which would still be on the 8.2 version) to standy and the new standby becomes active even if the versions are different?

Hello,

while upgrading the IOS , u have to do the things in proper manner. As for synchronization between two ASA , IOS should be same.

1> Upload the IOS file to your secondary & Primary ASA.

2> Reload the Secondary ASA.

3> After reloading, when the ASA boots up , make the secondary ASA as Lan unit primary ( forceful mechanism )

4> Then  on primary ASA make LAN unit secondary ( forceful mechanism )

5> Reload the primary ASA

Thanks

The active and standby units should have the same major and minor software version.  However as of 8.3 an exception has been added for situations during upgrade that for the duration of the upgrade of the active standby pair, as long as they remain within the same major release the pair will remain in active standby.  I am not sure what will happen when you go to the next major release, but I am assuming that the active standby pair will be broken until both units are back on the same software version.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

If the pair is broken, would I still be able to issue failover commands (failing active to standby, failing standby back to active,etc...?)

Also, if i'm going from 8.2 to 8.4 to 9.1, am i going to have to first upgrade the standby to 8.4 reboot, then upgrade to 9.1, reboot?

If the pair is broken, would I still be able to issue failover commands  (failing active to standby, failing standby back to active,etc...?)

From my understanding, as long as you are within the 8.x release of the ASA software you will be able to issue failover commands and replicate config between the two devices.  You will however se error messages stating that the versions are not the same.  I am uncertain what type of behavior you will see when when going to 9.1 as I have not had to upgrade to that version yet.

Also, if i'm going from 8.2 to 8.4 to 9.1, am i going to have to first  upgrade the standby to 8.4 reboot, then upgrade to 9.1, reboot?

The path I would recommend is to upgrade both units to 8.4 first and then to 9.1.  You also need to make sure that the ASAs have the correct amount of memory to support 8.3 and higher software.  So the steps would be something like this:

  1. check to see if the ASAs have the correct amount of memory. The 5520 requires 2GB of memory (upgrade memory if required)
  2. download 8.4 and 9.1 from cisco.com website and copy both to the ASA's flash
  3. upgrade the standby ASA version to 8.4 (boot system flash:)
  4. reboot the standby ASA
  5. When it comes up, make the necessary changes to the NAT and ACLs with regards to object group usage
  6. Make the Standby ASA the active firewall
  7. repeat steps 3 to 6
  8. upgrade the standby ASA version to 9.1
  9. reboot the standby ASA
  10. Make the standby ASA the active firewall
  11. upgrade the standby ASA version to 9.1
  12. Reboot the standby ASA
  13. Make the standby ASA active again, if required to maintain the original active ASA as active.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi, i recently upgrade our 5505 asa from 8.2(5) directly to 9.1 and suddenly i lost access to it. any help? 

for 8.2(5) to 9.1 you need to first upgrade to 8.4(5) first.

8.2.PNG

please do not forget to rate.

understood however i already did the upgrade skipping 8.4 now i lost access to the firewall how can this be fixed?

you have to go to the patch 8.2 to 8.4 to 9.x.

 

you need to upgrade the active ASA to software 9.1 and for the passive which you lost control of it you need to console to the cli to check what is happening. i am afraid there is no quick fix for it.

 

for the passive 8.2 to 8.4 than 9.1

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: