Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1354
Views
10
Helpful
9
Replies

Asa HA with Firepower services upgrade - run with different versions for 24 hour period

Go to solution
evan.chadwick1
Level 1
Level 1

‎09-18-2017 03:22 PM - edited ‎02-21-2020 06:19 AM

Hi Folks, 

I wanted to upgrade ASA running firepower services. 
I had the idea to only upgrade one ASA/FIrepower SErvices and monitor for 24 hours, then upgrade the second ASA/firepower services. 

Is it possible to operate like this for a short period?

FMC will be upgraded from 6.0.1.2 to 6.1.3

Failover over from Primary ASA to Secondary ASA, and upgrade from 6.0.1.2 to 6.1.3

After upgrade fail back to Primary ASA now running 6.1.3. Monitor for 24 hours

ASA/Firepower Services Primary upgraded to 6.1.3

ASA/Firepower Serivces Secondary stay on 6.0.1.2 - for 24 hours incase rollback required.
After 24 hours

Upgrade ASA/Firepower Serivces Secondary to 6.1.3

 

Regards, 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to evan.chadwick1

‎09-18-2017 03:55 PM

Then yes, you can run them at different codes levels for 24 hours without an issue.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎09-18-2017 03:47 PM

I would upgrade both the the ASA first, and keep them at the same level.

 

Then seperately do the Firepower's, and you can run them at different levels for 24 hours.

0 Helpful

Go to solution
evan.chadwick1
Level 1
Level 1
In response to Philip D'Ath

‎09-18-2017 03:50 PM

i'm not planning to upgrade the ASA code, i'm only focusing on upgrading the Firepower module.

 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to evan.chadwick1

‎09-18-2017 03:55 PM

Then yes, you can run them at different codes levels for 24 hours without an issue.

0 Helpful

Go to solution
evan.chadwick1
Level 1
Level 1
In response to Philip D'Ath

‎09-18-2017 03:57 PM

Thanks. 
Was thinking to issue the 'no monitor-interface service-module' as well in order to safeguard unwanted failover of the ASA's. 

 

 

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to evan.chadwick1

‎09-18-2017 04:00 PM

Just remember if you do that and Firepower really does fail then the ASA may stop forwarding traffic ...
0 Helpful

Go to solution
evan.chadwick1
Level 1
Level 1
In response to Philip D'Ath

‎09-18-2017 04:01 PM

yeah. 

I have SFR-FailOpen applied :)

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎09-18-2017 03:56 PM

ps. I would jump directly to the 6.2 train of Firepower.
0 Helpful

Go to solution
evan.chadwick1
Level 1
Level 1
In response to Philip D'Ath

‎09-18-2017 04:12 PM

I can't jump straight as i'm coming from 6.0.1.2

The fmc running 6.2.2 only supports 6.1 and up.

So i plan to get to 6.1.3, then keep going one more time to 6.2.x (most stable version)

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to evan.chadwick1

‎09-18-2017 04:22 PM

I would scratch the module upgrade procedure. I would upgrade the FMC, and then re-image the modules and re-deploy the policy.

Re-imaging always works. Upgrading - well it can be a bit hit and miss.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card