Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
32413
Views
5
Helpful
8
Replies

Upgrading ASA 5520 from 8.2 to 8.4

Andy White
Level 3
Level 3

‎02-27-2011 09:20 AM - edited ‎03-11-2019 12:57 PM

Hello,

We have 2 ASA 5520's working in active/standby mode and both have the IPS module installed then 2 firewalls have also been upgraded to have 2GB of memory.

I have been asked if it is worth upgrading to 8.4 from 8.2.  There is nothing wrong with our current firmware and if it isn't broken then why change strings to mind, but I also dont wnat to be left behind.

I've upgraded the firmware on the ASA's before, but they have been pretty simple.  I do the standby ASA first and wait for it to come up, then do the other.  However I think 8.3 and 8.4 are big jumps and have issues with NAT (we have a lot of NAT's and NAT exempts).  I have had a quick read of 8.4's document, but has anyone actually upgraded from 8.2 to 8.4?

Thanks

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-27-2011 10:40 AM

Andy,

I personally think that you only need to upgrade to 8.4 if either requiring a new feature of this release or if the current OS has any bugs that need to be fixed (fix might be in 8.4).

So, if the current 8.2 is working fine there's no hurry to upgrade.

Specially that there are major changes for NAT and object-oriented configuration.

I would recommend if possible to get very familiar with the new configuration-style and all changes before upgrading to the new release.

Hope it helps.


Federico.

0 Helpful

Andy White
Level 3
Level 3
In response to Federico Coto Fajardo

‎02-27-2011 11:49 AM

Thanks, do you know if there is a demo of the 8.4 ADSM?

0 Helpful

csaxena
Cisco Employee
Cisco Employee
In response to Andy White

‎02-28-2011 01:06 AM

Hello Andy,

ASDM 6.4.1 is compatible with ASA 8.4. Here is the download link to the demo version of the same:

http://www.cisco.com/cisco/software/release.html?mdfid=279916880&flowid=4375&softwareid=280775064&release=6.4.1&relind=AVAILABLE&rellifecycle=&reltype=latest

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.


0 Helpful

Ken Stieers
VIP
VIP
In response to csaxena

‎03-12-2011 09:30 PM

Something to note if you can't take downtime:

(taken from the

Cisco ASA 5500 Series Configuration

Guide using the CLI

Software Version 8.4 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540,

ASA 5550, ASA 5580, ASA 5585-X, pg 80-5 & 6)

Minor Release

You can upgrade from a minor release to the next minor release. You

cannot skip a minor release.

For example, you can upgrade from 7.0(1) to 7.1(1). Upgrading from

7.0(1) directly to 7.2(1) is not supported for zero-downtime upgrades;

you must first upgrade to 7.1(1).

Major Release

You can upgrade from the last minor release of the previous version to

the next major release.

For example, you can upgrade from 7.2(1) to 8.0(1), assuming that

7.2(1) is the last minor version in the 7.x release series.

So, you'll have to do an 8.3, and then 8.4 upgrade, unless you can take downtime.

Ken

0 Helpful

csaxena
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎03-12-2011 10:33 PM

Hello Ken,

Can you please share link on the post? We might have to look into this link.

But you can surely upgrade from any ASA 8.x code to ASA 8.4.

Here are the release notes confirming the same:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp506348

Downtime is always advisable becuase you might hit bugs or face issues while upgrading but it is surely possible without a downtime. You need to reboot the firewall and that will cause 1-2 mins downtime.

Regards,
Chirag

Akhil B
Cisco Employee
Cisco Employee
In response to csaxena

‎03-12-2011 10:42 PM

Hi Andy,

     As suggested by Chirag, we can upgrade from pre-8.3 Code directly to 8.4, its not necessary to upgrade to 8.3. All we need to take care of are the nat-changes, which is different in 8.3 and 8.4.

Regards,

Akhil

0 Helpful

Marcus Hunold
Level 1
Level 1
In response to Akhil B

‎06-07-2011 03:44 AM

Hi Akhil, hi all others,

I wanna do an upgrade from 8.2 to 8.4 without Downtime.

ASA pair is configured with "failover link if_name phy_if"(failover link statelink GigabitEthernet0/2).

Is it sure that all State Information from active unit(8.2) which are mentioned here:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1078953

will pass to standby unit(8.4),so that I can do an failover manually without loss of any state informations?

What about the NAT translation table? Is it possible to pass NAT translation table from active unit with old NAT(8.2) to the standby unit with new NAT(8.4) with Stateful Failover?

Regards,

Marcus

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card