03-21-2014 07:52 AM - edited 03-10-2019 06:10 AM
Hi,
I have an active/standby ASA with both fitted SSM-10. We are planning to do a software upgrade for the SSM-10. My concern here is the proper steps.
Should we start upgrade with the secondary unit first before we perform the upgrade for the Primary? Please advice.
Regards,
03-24-2014 04:40 AM
Yes, when the standby unit has finished reloading, and is in the Standby Ready state, force the active unit to fail over to the standby. Reload the primary with the new image.
04-02-2014 03:42 PM
It all depends on your Fail Open setting and your security posture.
If your primary ASA is set to Fail Closed, then taking the AIP-SSM off line for an upgrade will cause traffic to fail over to the standby ASA. If you are set for Fail Open then traffic will continue to pass thru your primary ASA without IPS inspection untill the AIP-SSM comes back.
Your security posture will dictate how important IPS inspection/dropping is to your organization. Is mainting IPS inspection more important than failing over to the standby rail?
- Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide