02-25-2018 10:24 AM - edited 02-21-2020 07:26 AM
There are several questions on these support forums regarding upgrade paths. This link has been shared a lot. I have read it, but I still have a question/concern.
We have an active/standby failover pair of 5525-X ASAs currently running 9.4(4)16. Typically the way I have zero-downtime upgraded them is to put the new code on both and set it to boot from it, then reboot the standby so it comes up with the new version. Then make the standby active, and reboot the formerly-active one.
I read long ago that a running pair should always be within 0.1 versions of each other (notwithstanding the 8.4-to-9.0 upgrade ). Is that not true anymore? The link above indicates 9.4 can be upgraded directly to 9.9. That means that the standby can be running 9.9 while the active is running 9.4 for a time and still retain stateful failover?
Solved! Go to Solution.
01-08-2019 09:07 AM
Hi I did setup a test lab failover on 2x5516-x from version 9.6 to 9.9. It was successful upgrade.
02-25-2018 10:53 AM
02-25-2018 12:06 PM
I have always only done it in stateful, not stateless mode. Just to be clear, by "stateful," I mean that when failover occurs it maintains the state of the TCP, UDP, ESP, etc sessions that are in place without disruption. My question is whether or not I can do that while upgrading directly from 9.4 to 9.9. I would love to be pointed to some official Cisco documentation that addresses that exact question, if such a document exists.
For the record, here is my failover configuration:
failover failover lan unit primary failover lan interface fo GigabitEthernet0/7 failover polltime unit 1 holdtime 5 failover key ***** failover replication http failover link fo GigabitEthernet0/7 failover interface ip fo 1.1.1.245 255.255.255.252 standby 1.1.1.246
01-07-2019 06:19 AM
Hi
May i know if you still achieve a zero downtime (TCP sessions not dropped) when you upgraded from 9.4 directly to 9.9? I'm planning to upgrade from 9.6(4)8 to 9.9.2 directly.
01-07-2019 06:58 AM
I never did. We're still at 9.4.x and I've just been doing the incremental security updates. It's still a “suggested release” on Cisco's ASA software page.
01-07-2019 06:28 AM - edited 01-07-2019 06:40 AM
you can upgrade from 9.4.x to 9.9x
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html
Yes your config is correct.
failover failover lan unit primary failover lan interface fo GigabitEthernet0/7 failover polltime unit 1 holdtime 5 failover key ***** failover replication http failover link fo GigabitEthernet0/7 failover interface ip fo 1.1.1.245 255.255.255.252 standby 1.1.1.246
also make sure you secondary box. the other asa have the following config.
failover failover lan unit secondary failover lan interface fo GigabitEthernet0/7 failover polltime unit 1 holdtime 5 failover key ***** failover replication http failover link fo GigabitEthernet0/7 failover interface ip fo 1.1.1.245 255.255.255.252 standby 1.1.1.246
also bear in mind if you have a sub-interface on these firewall than you have to add them in monitor purpose
monitor-interface gigx.xxx
having said that. normal interface the one do not have a sub-interface are automatically added as monitor interface. than its depends which interface you want to monitor for failover.
01-07-2019 06:40 AM
I know my configuration is correct--I wasn't asking for clarification on that. I was asking if anybody knows if you can upgrade from 9.4.4 to 9.9.x, which apparently nobody does.
01-07-2019 06:42 AM
here is the cisco upgrade path recommendation.
seems you can easy do a upgrade to new version.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html
01-07-2019 06:49 AM
01-07-2019 06:52 AM - edited 01-07-2019 06:57 AM
Here an official upgrade guide:
To summarize, upgrade for failover asa is straight forward:
- copy new image to active and standby devices.
- change the boot config to boot using new image.
- reload standby with the new image.
- when reloaded, force a failover from active to new reloaded standby.
- reload old active with new software.
- force back active role if you want.
during this process when you reload the standby firewall with new image it will come online. and it will tell you its version does not match with peer ASA.
this is explained in previous thread.
the link you shared i have used in past. its very accurate you can follow the same process. there will be no downtime to your network.
01-07-2019 06:57 AM
01-07-2019 07:00 AM - edited 01-07-2019 07:03 AM
here is the link
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html
you can go from 9.6 to 9.9
01-07-2019 07:05 AM
My personal frustration is that there is no single document that indicates both a zero-downtime upgrade AND version-specific info in regards to 9.x upgrades beyond a "point one" version. The one you sent a few times indicates one can upgrade from 9.4 to 9.9 (as well as a whole bunch of other options in the grid), but it does not indicate zero downtime during that upgrade. Anyway, I'll eventually just have to bite the bullet when Cisco discontinues support for 9.4.x, but until then, I'm in no rush. I wish I had a spare failover pair, but we don't have that luxury (I do have spare 5510 ASAs, but those won't run anything newer than 9.1).
01-07-2019 07:11 AM
i have some spare box 5516-x i shall check and let you know if there is a jump available in 9.4 to 9.9
01-08-2019 09:07 AM
Hi I did setup a test lab failover on 2x5516-x from version 9.6 to 9.9. It was successful upgrade.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: