Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
3
Helpful
6
Replies

ASA pair 'Zero Downtime Upgrades for Failover Pairs' did not work for 7.2(1

zhichao
Level 1
Level 1

‎07-17-2006 02:59 AM - edited ‎02-21-2020 01:03 AM

Hi

We tried to upgrade two ASA from version 7.1(2) to 7.2(1).

We followed the docu 'http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398'

However after reloaded the backup ASA to run new image.

After bootup, this backup ASA's failover is automatically disabled:

asa# show failover

Failover Off (pseudo-Standby)

Failover unit Primary

Failover LAN Interface: Failover Management0/0 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 250 maximum

asa#

The active ASA shows:

Monitored Interfaces 8 of 250 maximum

Version: Ours 7.1(2), Mate 7.2(1)

Last Failover at: 13:19:08 SGT Jul 17 2006

This host: Secondary - Active

Active time: 521867 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)

Interface outside (203.127.164.50): Normal (Waiting)

Interface inside (10.217.213.190): Normal (Waiting)

Interface DMZ1 (203.127.164.1): Normal (Waiting)

Interface DMZ2 (203.127.164.129): Normal (Waiting)

slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(1p1)S205.0) status (Up/Up)

IPS, 5.1(1p1)S205.0, Up

Other host: Primary - Failed

Active time: 0 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.2(1)) status (Up Sys)

Interface outside (203.127.164.62): Unknown

Interface inside (10.217.213.185): Unknown

Interface DMZ1 (203.127.164.30): Unknown

Interface DMZ2 (203.127.164.254): Unknown

slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(1p1)S205.0) status (Up/Up)

IPS, 5.1(1p1)S205.0, Up

According to the docu, the backup ASA should go into standby-ready state, but it did not! Any clue?!!!

Thanks in advance!

0 Helpful
6 Replies 6

carenas123
Level 5
Level 5

‎07-21-2006 06:16 AM

Check the Failover configuration after upgrading is there or not.

0 Helpful

slaurin
Level 1
Level 1
In response to carenas123

‎07-21-2006 07:25 AM

Hi,

As stated in that document, "the two units in a failover configuration must have the same major (first number) and minor (second number) software version." So you're only half through your upgrade procedure, it is expected that failover won't resume until your versions are in sync (or at list major.minor match). Also make sure that your primary appliance is still configured to failover since the "pseudo-standby" state can be the result of a "no failover" replication.

Hope this helps; if it does please rate,

Regards

Simon Laurin

zhichao
Level 1
Level 1
In response to slaurin

‎07-21-2006 05:45 PM

Hi

However in the docu, http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398

It means the new version V7, can support two firewalls running with different versions during upgrading. And this is why it is called 'zero downtime' upgrading.

The pair were configured with 'failover' and working fine. It became 'pseudo-standby" only after rebooting with the new firmware.

It seems the 'zero downtime' upgrading did not work.

Has anyone tested it?

Thanks

0 Helpful

matt.walls
Level 1
Level 1

‎07-22-2006 03:28 AM

failover configuration must have the same major (first number) AND minor (second number) software version. your situation has different minor numbers.

also, you can only install different versions on the failover units if they are contiguous releases

0 Helpful

zhichao
Level 1
Level 1
In response to matt.walls

‎07-22-2006 07:24 AM

thanks

Can you take a look at: http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398

It says the version 7 got this feature called 'zero downtime' upgrading.

Unless the docu is wrong?

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to zhichao

‎07-23-2006 02:22 AM

Hi .. I have had a look at this doco and it clearly states

Performing Zero Downtime Upgrades for Failover Pairs

The two units in a failover configuration must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.

Note In Active/Active environments, make sure the pair is not oversubscribed with more than a 50% load on each pair member.

You can only install different versions on the failover units if they are contiguous releases, for example 7.0(1) and 7.0(2). You cannot upgrade one unit to 7.0(3) while the other unit is still 7.0(1).

... it sounds to me like the 'Zero downtime' only applies to upgrading to a CONTIGUOUS release which is not the case in your scenario. You really need to get them both to the latest version .. causing a brief downtime during the process ..

I hope it helps .. !!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card