05-01-2019 08:17 AM
Hi all,
We need your suggestions on what are the best practices how to upgrade software of a Cisco ASA Failover Pair with zero downtime?
Options 1 : 9.1.(7)23-->9.2.(4)33-->9.3(3)-->9.4(4)34
Options 2 : 9.1.(7)23-->9.4(4)34 (is it possible upgrade with zero downtime?)
Solved! Go to Solution.
05-06-2019 02:06 AM
As long as you are running at least 9.1(3) you can upgrade directly from 9.1 to 9.4 with zero down-time.
Please see the release notes for 9.4:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#ID-2152-0000000a
Then follow this process:
Personally I'd recommend going to the latest 9.8 interim release (currently 9.8(3)29) or even 9.8.4 since 9.4 is getting pretty old and will be end of support well before 9.8.
05-01-2019 09:10 AM
Looking at the release notes for your desired version -
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html
From 9.1(2+) you can upgrade directly so option 2 looks feasible.
A failover pair can indeed be upgraded without downtime.
Depending if you are running active/active or active/failover the procedure may be slightly different in terms of steps, but the overall theme is the same. The following document should give you everything you need -
05-01-2019 06:24 PM
Hi Grant3779,
I saw these document before but I am confused.
I have a pair of ASA 5585-X in an active-standby failover config.
Currently they are running software version 9.1.7.
I'm looking to upgrade to 9.4.4. From the release notes I understand that in order to perform a "zero downtime"
upgrade I need to upgrade from the last minor release in a major release to the next major release.
Based on this, Is this correct ?
the upgrade path should be : 9.1.7>9.2>9.3>9.4
I know we can upgrade directly from 9.1.7 to 9.4.4, it is possible to perform a "zero downtime" ?
Don't we need to upgrade from last minor release to the next major release ??
05-01-2019 07:48 PM
No, you don't need to upgrade from last minor release to the next major release.
The release notes do recommend this; but I have successfully upgraded hundreds of ASAs without doing so.
05-05-2019 10:47 PM - edited 05-05-2019 10:49 PM
Hi Marvin,
your mean I can upgrade directly form 9.1 to 9.4 to achieving the zero down-time ?
I can't find any official document to verify this option on Cisco web site. Do you have any document to verify this?
I need to verify this because the service of customer can't be any interrupted.
05-06-2019 02:06 AM
As long as you are running at least 9.1(3) you can upgrade directly from 9.1 to 9.4 with zero down-time.
Please see the release notes for 9.4:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#ID-2152-0000000a
Then follow this process:
Personally I'd recommend going to the latest 9.8 interim release (currently 9.8(3)29) or even 9.8.4 since 9.4 is getting pretty old and will be end of support well before 9.8.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide