Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2067
Views
0
Helpful
4
Replies

AIP-SSM Upgrade for ASA Active/ Active

Go to solution
Nandan Mathure
Level 1
Level 1

‎06-19-2010 02:03 PM - edited ‎03-10-2019 05:02 AM

Hi everyone!

I  need some help on upgrading the aip-ssm modules to E4 on two asa s which are active/active state. Will i be able to do this without the downtime?what are considerations ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
edadios
Cisco Employee
Cisco Employee

‎06-19-2010 04:50 PM

The AIPs are independent of the ASA failover, however, the ASA can consider the AIP status in failover switchover, meaning it can failover

if it detects an AIP module going down on the active device.

The best method for upgrade in this situation will be to setup active failover status for all groups on the primary ASA, then upgrade the AIP of the secondary ASA.

Once the AIP of the secondary is completely updated and functional, then set all the groups to be active failover on the secondary ASA.

Then upgrade the Primary AIP.

Once the primary AIP is completely upgraded and working, you can then restore the failover status on the ASAs, by setting failover active for the group on the specific ASAs you want them to be active on..

Regards,

View solution in original post

0 Helpful
4 Replies 4

Go to solution
edadios
Cisco Employee
Cisco Employee

‎06-19-2010 04:50 PM

The AIPs are independent of the ASA failover, however, the ASA can consider the AIP status in failover switchover, meaning it can failover

if it detects an AIP module going down on the active device.

The best method for upgrade in this situation will be to setup active failover status for all groups on the primary ASA, then upgrade the AIP of the secondary ASA.

Once the AIP of the secondary is completely updated and functional, then set all the groups to be active failover on the secondary ASA.

Then upgrade the Primary AIP.

Once the primary AIP is completely upgraded and working, you can then restore the failover status on the ASAs, by setting failover active for the group on the specific ASAs you want them to be active on..

Regards,

0 Helpful

Go to solution
Nandan Mathure
Level 1
Level 1
In response to edadios

‎06-20-2010 12:59 PM

I will go with what you say. Thanks for your time

Regards,

Nandan

0 Helpful

Go to solution
mkirbyii
Level 1
Level 1
In response to edadios

‎06-25-2010 11:51 AM

Do you also have to do this everytime you push a sig update to the AIP's as well?

Thanks

Mike

0 Helpful

Go to solution
edadios
Cisco Employee
Cisco Employee
In response to mkirbyii

‎06-25-2010 10:01 PM

In general a signature update does not require a reload. So you can independently do signature updates on the modules on each of the pair, and not be concerned about triggering  failover.

This may help clarify what you want to avoid doing if you don't want failover to happen in relation to the modules on ASA:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp5355853

Regards,

0 Helpful
Review Cisco Networking for a $25 gift card
Top