Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
2
Replies

SSM-10 upgrade in Failover ASA (Active/Standby)

Anuar Shahrin
Level 1
Level 1

‎03-21-2014 07:52 AM - edited ‎03-10-2019 06:10 AM

Hi,

 

I have an active/standby ASA with both fitted SSM-10. We are planning to do a software upgrade for the SSM-10. My concern here is the proper steps.

Should we start upgrade with the secondary unit first before we perform the upgrade for the Primary? Please advice.

 

Regards,

Labels:
0 Helpful
2 Replies 2

Saurav Lodh
Level 7
Level 7

‎03-24-2014 04:40 AM

Yes, when the standby unit has finished reloading, and is in the Standby Ready state, force the active unit to fail over to the standby. Reload the primary with the new image.

0 Helpful

rhermes
Level 7
Level 7

‎04-02-2014 03:42 PM

It all depends on your Fail Open setting and your security posture.

If your primary ASA is set to Fail Closed, then taking the AIP-SSM off line for an upgrade will cause traffic to fail over to the standby ASA. If you are set for Fail Open then traffic will continue to pass thru your primary ASA without IPS inspection untill the AIP-SSM comes back.

Your security posture will dictate how important IPS inspection/dropping is to your organization. Is mainting IPS inspection more important than failing over to the standby rail?

- Bob

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card