- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2010 02:03 PM - edited 03-10-2019 05:02 AM
Hi everyone!
I need some help on upgrading the aip-ssm modules to E4 on two asa s which are active/active state. Will i be able to do this without the downtime?what are considerations ?
Solved! Go to Solution.
- Labels:
-
IPS and IDS
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2010 04:50 PM
The AIPs are independent of the ASA failover, however, the ASA can consider the AIP status in failover switchover, meaning it can failover
if it detects an AIP module going down on the active device.
The best method for upgrade in this situation will be to setup active failover status for all groups on the primary ASA, then upgrade the AIP of the secondary ASA.
Once the AIP of the secondary is completely updated and functional, then set all the groups to be active failover on the secondary ASA.
Then upgrade the Primary AIP.
Once the primary AIP is completely upgraded and working, you can then restore the failover status on the ASAs, by setting failover active for the group on the specific ASAs you want them to be active on..
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2010 04:50 PM
The AIPs are independent of the ASA failover, however, the ASA can consider the AIP status in failover switchover, meaning it can failover
if it detects an AIP module going down on the active device.
The best method for upgrade in this situation will be to setup active failover status for all groups on the primary ASA, then upgrade the AIP of the secondary ASA.
Once the AIP of the secondary is completely updated and functional, then set all the groups to be active failover on the secondary ASA.
Then upgrade the Primary AIP.
Once the primary AIP is completely upgraded and working, you can then restore the failover status on the ASAs, by setting failover active for the group on the specific ASAs you want them to be active on..
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2010 12:59 PM
I will go with what you say. Thanks for your time
Regards,
Nandan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2010 11:51 AM
Do you also have to do this everytime you push a sig update to the AIP's as well?
Thanks
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2010 10:01 PM
In general a signature update does not require a reload. So you can independently do signature updates on the modules on each of the pair, and not be concerned about triggering failover.
This may help clarify what you want to avoid doing if you don't want failover to happen in relation to the modules on ASA:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp5355853
Regards,
