cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3438
Views
5
Helpful
4
Replies
Highlighted
Beginner

ASA 5520 active/standby remote software update

Good morning,

We have a pair of 5510s and a pair of 5520s, each in Active/Standby mode.  I'd like to upgrade the ASDM and ASA software on these, but am finding no documentation that advises on how this can be done without physical access to the devices.  It so happens I am on site, but we will be deploying these throughout our network and I'd like to be able to perform this type of maintenance without travelling to each site. 

We utilize CSM and ASDM to manage these for the most part, but are certainly capable of configuring via CLI. 

The issue may be my lack understanding of the ASA fundamentals, but I don't really get how the software can be copied to the individual ASAs of the pair so they may be reloaded and upgraded without outage.  My lack of understanding also makes this a difficult question to word, so please forgive me that.  With a remote SSH connection to the pair, I'm only copying the software to the Active ASA, correct?  Or is there a way to get the software to each disk individually from the single SSH connection?  I'm not quite sure how to manage the Standby ASA without consoling into it... If I can indeed remotely get the software to each ASA (copying to different disks?? i.e. disk0: and disk1:?), then I also run into an issue updating the boot statement for each of them individually, though to resolve that I suppose I could just remove the old software, but that seems like bad practice before confirming the new software is ok.

If there is a simpler way of deploying new code via ASDM or CSM, I'm certainly open to that.

Any advice or resources anyone could offer would be extremely helpful and appreciated.

Thank you,

Justin

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Justin,

That is exactly why. If you are running version earlier than 8.4.1, routing table information is not replicated between the devices,

The information that is not passed to the standby unit when stateful failover is enabled includes these:

  • The HTTP connection table (unless HTTP replication is enabled)

  • The user authentication (uauth) table

  • The routing tables

  • State information for security service modules

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

If your default route gateway is learned via EIRGP and you are trying to access it from the internet, you are not going to be able to get to the secondary Unit.

Workaround, put the default gateway statically with a Higher Metric so it appears on the running configuration and sent to the secondary Unit.

Any questions let me know.

Mike

Mike

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hi,

It really depends on the upgrade. There is support for zero downtime upgrades, however, it is always recomended to have someone on site to help in case something happens.

In failover, you have two IP addresses, the primary IP and the secondary IP. If you connect to the primary IP, you will be connecting to the Active Unit, you can upload the files there, this information, is not going to be replicated to the secondary Unit, thats why, you will need to connect to the secondary IP in order to connect to the Standby Unit, then upload the files there too.

In order to perform zero dowtime upgrade remotely, you can use the following document:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1053398

Hope this is useful.

Mike

Mike
Highlighted

Hi Mike,

Thanks for the response.  I think that's where I started thinking I was slightly insane, because I tried to log into the stanby IPs for each of these pairs, but my connection was denied.  I'm not entirely sure why and I troubleshot it, but I think I just assumed for some reason that it just wasn't possible.  I need to revisit that, because I think I'll have a far easier time once I get that going.  I suppose that brings up another question:  Any common reasons why standby IPs might be unreachable?  We have standard EIGRP configs in the pair for routing, and there wasn't an issue with accessing the primary, so that's why I assumed it'd just "work", and if not then it wasn't possible. 

Thanks again!

Justin

Highlighted

Justin,

That is exactly why. If you are running version earlier than 8.4.1, routing table information is not replicated between the devices,

The information that is not passed to the standby unit when stateful failover is enabled includes these:

  • The HTTP connection table (unless HTTP replication is enabled)

  • The user authentication (uauth) table

  • The routing tables

  • State information for security service modules

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

If your default route gateway is learned via EIRGP and you are trying to access it from the internet, you are not going to be able to get to the secondary Unit.

Workaround, put the default gateway statically with a Higher Metric so it appears on the running configuration and sent to the secondary Unit.

Any questions let me know.

Mike

Mike

View solution in original post

Highlighted

Very much appreciated, thank you sir!

Content for Community-Ad