cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1177
Views
0
Helpful
8
Replies

ASA Update to 9.9

sokhunov
Level 1
Level 1

Hi,

 

 Currently my ASA pair(active/standby) running 9.1(2) version. I want to update them to 9.9 with no downtime.

 

My question is: can i update directly from 9.1(2) to 9.9 with no downtime ? If no, can you explain me how properly should i update.

 

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

First regarding asa path upgrade, you can go from your version directly to 9.9.

Take a look for validation:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html#ID-2152-0000000a

 

Here an official upgrade guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

 

To summarize, upgrade for failover asa is straight forward:

- copy new image to active and standby devices.

- change the boot config to boot using new image.

- reload standby with the new image.

- when reloaded, force a failover from active to new reloaded standby.

- reload old active with new software.

- force back active role if you want.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

8 Replies 8

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

First regarding asa path upgrade, you can go from your version directly to 9.9.

Take a look for validation:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html#ID-2152-0000000a

 

Here an official upgrade guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

 

To summarize, upgrade for failover asa is straight forward:

- copy new image to active and standby devices.

- change the boot config to boot using new image.

- reload standby with the new image.

- when reloaded, force a failover from active to new reloaded standby.

- reload old active with new software.

- force back active role if you want.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

 

 Thank you. Yesterday i successfully updated to 9.9(2) version.

However, after update our branch office lost connectivity to internet through s2s. 

The branch still access to HQ internal network but not to internet. 

 

Please help me to solve the problem.

Can you share your config please? Branch and HQ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco,

I found the problem.

 

I had NAT rule like this:

nat (NETWORK1,outside)  source static any any destination static NETWORK_OBJ_172.16.48.0_27 NETWORK_OBJ_172.16.48.0_27

 

subnet 172.16.48.0 255.255.255.0

nat(outside,outside) dynamic interface

 

And its had been working before update. After some debugging i found that  ASA trying to NAT traffic from 172.16.48.0 to NETWORK1 interface.

I changed "source static any any" to "source static NTW_1 NTW_1" and now its working.

 

Anyway thanks for support.

Ok glad you solved your issue. It was quite sure the issue was nat statement that's why I asked for the config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi @sokhunov

Can you confirm that aside from the config change that you encounter, upgrade from 9.1(2) directly to 9.9(2) really has no downtime? Meaning all the stateful TCP/UDP sessions also failed over?

Hi,

 

 I dont remember about stateful connections whether they failed over or not but i didnt have any system disruption. 

Hi sokhunov

All right, glad to hear that you did not encounter any system disruption while upgrading directly from 9.1(2) to 9.9

Thanks
Review Cisco Networking for a $25 gift card