I have a customer who wants to upgraded the ASA to 8.4.7(15) they are currently running 8.2.5(41), The customer wants to run the 8.4.7(15) code for a few days before rebooting the 8.2.5(41) ASA to get the upgrade, has anybody had any issues with running different versions of the OS for a few days.
You are planning to run one unit on 8.4.7(15) and other on 8.2.5(41) with failover enabled? It will not work. Please see below from Cisco on software requirement for failover..
The two units in a failover configuration must be in the operational modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version, but you can use different versions of the software within an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend that you upgrade both units to the same version to ensure long-term compatibility.
You can have to different versions, see syslog messages below, I know if you run 8.2 and 8.4 you get the 103007 message, and it could lead to stability issues. So I was checking to see if anybody has run these 2 versions for a couple days and if they saw any issues. I know it's not ideal but they would like to do it.
Error Message %PIX|ASA-1-103006: (Primary|Secondary) Mate version ver_num is not
compatible with ours ver_num
Explanation This message appears when PIX firewall detects peer unit is running a version that is not the same as local unit and also is not compatible with HA Hitless Upgrade feature.
Recommended Action Install same or compatible versions image on both firewall units.
Error Message %PIX|ASA-1-103007: (Primary|Secondary) Mate version ver_num is not
identical with ours ver_num
Explanation This message appears when PIX firewall detects peer unit is running a version that is not identical but does support Hitless Upgrade and is compatible with local unit. The system performance could be degraded due to the image version not being equal and could encounter a stability issue if running for extended period.
Recommended Action Install same version image on both units as soon as possible
Understood. I never ran two diff versions with failover for long time. However, Marvin provided great insight on your query. Thanks for the update.
You can run mismatched versions during an upgrade. Cisco recommends against doing it for very long because it can introduce operational issues if you start to modify your config to use a feature or syntax on the active unit that's not supported on the standby.
The problem is in the situation of 8.2 > 8.4 you are by definition modifying the configuration since the NAT and access-list syntax will all be modified by the active unit parser when it reads the 8.2-based startup-config. If a failover event were to occur, the standby unit (still on 8.2) would not have an operable running-config that the 8.2 ASA software would understand completely.
They should just upgrade both and make sure you have a current backup of the 8.2 configuration before starting (including plaintext preshared keys if any are in use). If the upgrade causes issues then revert via a downgrade.
One other option is to break the HA pair before starting and have the standby unit with the unchanged 8.2 configuration ready to be put into service manually if needed.