Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7099
Views
5
Helpful
5
Replies

ASA 5520 Upgrade 8.0(4)-->8.4.2--Zero Downtime

Go to solution
siddhartham
Level 4
Level 4

‎03-12-2012 10:53 AM - edited ‎03-11-2019 03:41 PM

Hello Everyone,

We are currently on 8.0(4) and planning on upgrading our failover pair to 8.4.2, I read some documents saying that we can perform a zero downtime upgrade.

According the below documents Version 8.2 supports mismatch memory failover,

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536

https://supportforums.cisco.com/message/3549760#3549760//

Upgrade Path:

Active Firewall:                         Standby Firewall:

   8.0(4)                                       8.0(4)-->8.2.2

   8.0(4)                                       Upgrade RAM-2G---Reload

   faiover to standby                    8.2.2

   8.0(4)--->8.2.2                          8.2.2

   Upgrade RAM-2G-reload         8.2.2----Fail over

   8.2.2--Active                             8.2.2--Standby

  8.2.2                                          8.3.1

  8.2.2                                          8.4.2

  Failover to stanby                      8.4.2

  8.2.2--Standby                           8.4.2-----Active

Can I perform zero downtime upgrade with the above upgrade path? Will both the firewalls act as a failover pair if one is on 8.2.2 and other is on 8.4.2.

"Performing Zero Downtime Upgrades for Failover Pairs

The two units in a failover configuration should have the same major  (first number) and minor (second number) software version. However, you  do not need to maintain version parity on the units during the upgrade  process; you can have different versions on the software running on each  unit and still maintain failover support."  (http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/admin_swconfig.html)

Upgrade RAM-2G
Siddhartha
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-14-2012 07:34 AM

You can do it in a lot fewer steps.

1. Upgrade RAM on standby, reload and make it active.

2. Repeat process for newly standby unit.

Now you have 2 units still on 8.0(4) with requisite RAM for 8.3+. TAC will recommend you go up in "baby steps" but the software will work upgrading directly from 8.0 to 8.4. 8.4(3) is the current version for the 5520 platform. At most conservative, I might upgrade to 8.2(4) as an interim but it's not strictly necessary. So my next step would be:

3. Upgrade standby unit from 8.0(4) to 8.4(3). At this point take stock of the script syntax changes. Examine the upgrade log (on disk0:) and address any discrepancies.

Note active/standby failover will work here but should not be run this way for any extended time as syntax changes would affect the ability to synchronize if changes are introduced on the active member.

Finally:

4. Flip upgraded standby unit to active and upgrade remaining standby unit to 8.4(3).

If you follow these steps and check your work after each step, this would all be zero downtime.

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-14-2012 07:34 AM

You can do it in a lot fewer steps.

1. Upgrade RAM on standby, reload and make it active.

2. Repeat process for newly standby unit.

Now you have 2 units still on 8.0(4) with requisite RAM for 8.3+. TAC will recommend you go up in "baby steps" but the software will work upgrading directly from 8.0 to 8.4. 8.4(3) is the current version for the 5520 platform. At most conservative, I might upgrade to 8.2(4) as an interim but it's not strictly necessary. So my next step would be:

3. Upgrade standby unit from 8.0(4) to 8.4(3). At this point take stock of the script syntax changes. Examine the upgrade log (on disk0:) and address any discrepancies.

Note active/standby failover will work here but should not be run this way for any extended time as syntax changes would affect the ability to synchronize if changes are introduced on the active member.

Finally:

4. Flip upgraded standby unit to active and upgrade remaining standby unit to 8.4(3).

If you follow these steps and check your work after each step, this would all be zero downtime.

Go to solution
siddhartham
Level 4
Level 4
In response to Marvin Rhoads

‎03-14-2012 01:49 PM

Thanks for your reply Marvin, I read in the release notes that 8.0(4) doesn't support mismatched memory failover thatswhy we are planning on going to 8.2.2 before the RAM upgrade.

Siddhartha
0 Helpful

Go to solution
rakeshvelagala
Level 3
Level 3
In response to siddhartham

‎09-20-2014 04:48 AM

Hi Siddhartham,

 

Can please advise on the below?

8.2.2--Standby                           8.4.2-----Active

 Will both the firewalls act as a failover pair if one is on 8.2.2 and other is on 8.4.2.

Thanks

0 Helpful

Go to solution
Anand Thakur
Level 1
Level 1
In response to Marvin Rhoads

‎05-13-2013 04:43 AM

When you say zero-downtime upgrade, are you considering the configuration ( NAT and access-list) syntax changes in post 8.3 versions or are you just considering the software upgrade.

Thanks

0 Helpful

Go to solution
siddhartham
Level 4
Level 4

‎05-13-2013 03:13 PM

Hi Anand, we were done with the upgrade and was able to do the zero time upgrade.

In my above post,I was asking just about the software because we already tested the NAT and access list conversions in the lab


Sent from Cisco Technical Support Android App

Siddhartha
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card