Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
0
Helpful
2
Replies

ASA hardware upgrade without downtime?

phildoyle1
Level 1
Level 1

‎07-08-2015 08:51 AM - edited ‎03-11-2019 11:14 PM

Hi,

 

I wonder if anybody can help?

I have 2 ASA 5580s in a failover configuration.  I would like to install a 10Gb PCI card in both units as part of a network upgrade.

Can this be done without downtime by doing 1 device at a time and using failover to keep the service up?   I see this as being similar to how you do the IOS upgrades with zero downtime.  I have searched the Cisco website and cannot find anything referring to instaling the cards in ASAs in a failover cofiguration.

Also, I read somewhere that if the data interfaces are runnnig at 10Gb then the dedicated stateful failover connection should also run at 10Gb.  Can you confirm?

Regards,

Phil

 

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-08-2015 10:22 AM

That one is a bit tricky.

The problem I see is that if you shutdown the standby unit and install the card, when you bring it back up online the primary unit will see the inventory has changed and should thus not allow the mate to rejoin the failover pair.

I would recommend just scheduling a maintenance window and shutting down both units, installing the cards and bringing the pair back online. You should be able to do that in a matter of 5-10 minutes but I'd get a 1 hour window just in case if I were doing it.

Re the failover connection, a "dedicated 1GE link is sufficient for up to ~300K conn/sec" (quoted from BRKSEC-3021 Cisco Live presentation).

 

0 Helpful

joseoroz
Cisco Employee
Cisco Employee

‎07-14-2015 12:03 PM

Hello Phil,

1.-I second Marvin that the maintenance window is the best way to go. There is no possible way to do a real zero downtime upgrade like you do with the software update. What I have done on this situations is disable the failover and use them as stand alone units and swap the cables around but there is a downtime when you change the cables from one unit to the other. 

 

2.-This is the documentation that you are referring to:

Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for the ASAs:

Cisco ASA 5510

Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

Cisco ASA 5520/5540/5550

Stateful link speed should match the fastest data link.

Cisco ASA 5580/5585

Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for Stateful Failover.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ha_overview.html#wp1077627

Regards,

Jose Orozco.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card