Solved: Re: ASA Update to 9.9

sokhunov · ‎05-25-2018

Hi,

Currently my ASA pair(active/standby) running 9.1(2) version. I want to update them to 9.9 with no downtime.

My question is: can i update directly from 9.1(2) to 9.9 with no downtime ? If no, can you explain me how properly should i update.

Francesco Molino · ‎05-25-2018

Hi

First regarding asa path upgrade, you can go from your version directly to 9.9.

Take a look for validation:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html#ID-2152-0000000a

Here an official upgrade guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

To summarize, upgrade for failover asa is straight forward:

- copy new image to active and standby devices.

- change the boot config to boot using new image.

- reload standby with the new image.

- when reloaded, force a failover from active to new reloaded standby.

- reload old active with new software.

- force back active role if you want.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎05-25-2018

Hi

First regarding asa path upgrade, you can go from your version directly to 9.9.

Take a look for validation:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html#ID-2152-0000000a

Here an official upgrade guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

To summarize, upgrade for failover asa is straight forward:

- copy new image to active and standby devices.

- change the boot config to boot using new image.

- reload standby with the new image.

- when reloaded, force a failover from active to new reloaded standby.

- reload old active with new software.

- force back active role if you want.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sokhunov · ‎05-28-2018

Hi Francesco,

Thank you. Yesterday i successfully updated to 9.9(2) version.

However, after update our branch office lost connectivity to internet through s2s.

The branch still access to HQ internal network but not to internet.

Please help me to solve the problem.

Francesco Molino · ‎05-28-2018

Can you share your config please? Branch and HQ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sokhunov · ‎05-28-2018

Francesco,

I found the problem.

I had NAT rule like this:

nat (NETWORK1,outside) source static any any destination static NETWORK_OBJ_172.16.48.0_27 NETWORK_OBJ_172.16.48.0_27

subnet 172.16.48.0 255.255.255.0

nat(outside,outside) dynamic interface

And its had been working before update. After some debugging i found that ASA trying to NAT traffic from 172.16.48.0 to NETWORK1 interface.

I changed "source static any any" to "source static NTW_1 NTW_1" and now its working.

Anyway thanks for support.

Francesco Molino · ‎05-28-2018

Ok glad you solved your issue. It was quite sure the issue was nat statement that's why I asked for the config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

drlbaluyut · ‎01-07-2019

Hi @sokhunov

Can you confirm that aside from the config change that you encounter, upgrade from 9.1(2) directly to 9.9(2) really has no downtime? Meaning all the stateful TCP/UDP sessions also failed over?

sokhunov · ‎01-07-2019

Hi,

I dont remember about stateful connections whether they failed over or not but i didnt have any system disruption.

drlbaluyut · ‎01-07-2019

Hi sokhunov

All right, glad to hear that you did not encounter any system disruption while upgrading directly from 9.1(2) to 9.9

Thanks