cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2022
Views
0
Helpful
6
Replies

ASA Failover upgrade running 8.2.5 and 8.4.7

Patrick Weir
Level 1
Level 1

I have a customer who wants to  upgraded the ASA to 8.4.7(15) they are currently running 8.2.5(41),   The customer wants to run the 8.4.7(15) code for a few days before rebooting the 8.2.5(41) ASA to get the upgrade, has anybody had any issues with running different versions of the OS for a few days.

 

Thanks

6 Replies 6

mvsheik123
Level 7
Level 7

Hi,

You are planning to run one unit on 8.4.7(15) and other on 8.2.5(41) with failover enabled? It will not work. Please see below from Cisco on software requirement for failover..

Software Requirement

The two units in a failover configuration must be in the operational modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version, but you can use different versions of the software within an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend that you upgrade both units to the same version to ensure long-term compatibility.

 

hth

MS

You can have to different versions, see syslog messages below, I know if you run 8.2 and 8.4 you get the 103007 message, and it could lead to stability issues.  So I was checking to see if anybody has run these 2 versions for a couple days and if they saw any issues.  I know it's not ideal but they would like to do it.

Error Message    %PIX|ASA-1-103006: (Primary|Secondary) Mate version ver_num is not 

compatible with ours ver_num

 

Explanation This message appears when PIX firewall detects peer unit is running a version that is not the same as local unit and also is not compatible with HA Hitless Upgrade feature. 

 

•ver_num—Version number 

 

Recommended Action Install same or compatible versions image on both firewall units. 

 

103007 

Error Message    %PIX|ASA-1-103007: (Primary|Secondary) Mate version ver_num is not 

identical with ours ver_num

 

Explanation This message appears when PIX firewall detects peer unit is running a version that is not identical but does support Hitless Upgrade and is compatible with local unit. The system performance could be degraded due to the image version not being equal and could encounter a stability issue if running for extended period. 

 

•ver_num—Version number 

 

Recommended Action Install same version image on both units as soon as possible

 

Understood. I never ran two diff versions with failover for long time. However, Marvin provided great insight on your query. Thanks for the update.

 

Thx

MS

Thanks guys for the help, we where able to run them with different versions for a few days until they were good with there tests. 

Marvin Rhoads
Hall of Fame
Hall of Fame

You can run mismatched versions during an upgrade. Cisco recommends against doing it for very long because it can introduce operational issues if you start to modify your config to use a feature or syntax on the active unit that's not supported on the standby.

The problem is in the situation of 8.2 > 8.4 you are by definition modifying the configuration since the NAT and access-list syntax will all be modified by the active unit parser when it reads the 8.2-based startup-config. If a failover event were to occur, the standby unit (still on 8.2) would not have an operable running-config that the 8.2 ASA software would understand completely.

They should just upgrade both and make sure you have a current backup of the 8.2 configuration before starting (including plaintext preshared keys if any are in use). If the upgrade causes issues then revert via a downgrade.

One other option is to break the HA pair before starting and have the standby unit with the unchanged 8.2 configuration ready to be put into service manually if needed.

Thanks Marvin, yeah we are planning no changes during this time.

Review Cisco Networking for a $25 gift card