Solved: ASA Upgrade Failover Pair - IP Addressing

Matthew Martin · ‎08-17-2023

Hello All,

Two - ASA 5525-X's
Current Version: 9.4(4)20
Upgrade Version: 9.14.4

I got the zero downtime upgrade steps from here: https://community.cisco.com/t5/network-security/asa-zero-downtime-upgrade/td-p/2154357

One thing I'm nervous about is the IP Addressing. When the units are failed over, does the Standby unit that will become the Primary unit receive the current Primary's IP Addresses?

We don't currently have an IP Address on the outside interface of the Standby unit. Our eCom site is hosted behind these Firewalls... So if we'd lose the ability to reach our website, that could be trouble...

Also, our core switch currently has a default route that points to the inside interface of the Primary ASA. As well as a couple of other static routes pointing to that interface, like the VPN client subnets, the DMZ subnet, website, etc...

Any thoughts would be greatly appreciated!

Thanks in Advance,
Matt

Marius Gunnerud · ‎08-17-2023

In a failover situation the standby device will inherit all active IP addresses from the primary unit. If you want an IP address on the standby unit you would need to configure the outside interface with a standby IP address. If you do not do this the standby unit will show as not having an IP address when it is not the active ASA. When a failover occurs, as mention earlier, the standby device inherits all the IP addresses and traffic continues to pass as normal.

It is a good practice to have standby IPs configured though as the ASAs use these also for checking if the other unit is alive in the case that the failover link is the link that has failed.

But as when performing all upgrades, it is strongly recommended that you have an up-to-date configuration backup before starting any upgrade just incase things do not go as planned. But from experience, I have very very seldom had any issues when upgrading ASAs.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎08-17-2023

In a failover situation the standby device will inherit all active IP addresses from the primary unit. If you want an IP address on the standby unit you would need to configure the outside interface with a standby IP address. If you do not do this the standby unit will show as not having an IP address when it is not the active ASA. When a failover occurs, as mention earlier, the standby device inherits all the IP addresses and traffic continues to pass as normal.

It is a good practice to have standby IPs configured though as the ASAs use these also for checking if the other unit is alive in the case that the failover link is the link that has failed.

But as when performing all upgrades, it is strongly recommended that you have an up-to-date configuration backup before starting any upgrade just incase things do not go as planned. But from experience, I have very very seldom had any issues when upgrading ASAs.

--
Please remember to select a correct answer and rate helpful posts

Matthew Martin · ‎08-18-2023

Hey Marius, thanks for the reply!

Ok great, that's what I was hoping.

Not sure if we have any spare public IP Addresses to use on that standby "outside" interface. If we do, I'll see about assigning one. But, otherwise it sounds like not having one on the standby outside interface, shouldn't affect the failover as the new primary will inherit those active IP addresses.

Thanks Again,
Matt

Marius Gunnerud · ‎08-20-2023

otherwise it sounds like not having one on the standby outside interface, shouldn't affect the failover as the new primary will inherit those active IP addresses.

You are correct, not having a standby IP will not affect failover.

Thanks for selecting a correct answer!

--
Please remember to select a correct answer and rate helpful posts

Matthew Martin · ‎08-22-2023

Hey Marius, one more question for you.

The folks above me are nervous about the upgrade since our eCom site runs behind this and they want to phase this upgrade out over a few days.... This is kind of the plan they came up with, is this viable?

Basically, Tuesday night (*tonight) is just verifying that Failover works from one ASA to the other. Since it's been a long time since the ASAs were failed-over.

Tuesday:
After Business Hours:
- Failover to Standby ASA.
- Fail back after verifying successful failover and that website is reachable.
Wednesday:
During Business Hours:
- Upgrade the Standby ASA.
After Business Hours:
- Failover to the upgraded Standby ASA
Thursday:
During Business Hours (*run for the day on the upgraded ASA):
- Upgrade the Standby ASA (*the former Primary ASA)
OPTIONAL: After Business Hours:
- Fail over again. (*this step would make it so the normal Primary ASA will be the Primary again)

Thanks in Advance,
Matt

Matthew Martin · ‎08-23-2023

Just an update. Did the Failover test last night and it ran perfectly.

Today I uploaded 9.14 to both ASA's, updated the boot variable and then reloaded the Standby which is now running 9.14.

Tonight we will failover to the new version, we'll run the rest of the night and tomorrow on the new version to make sure no issues come up. After we confirm everything is good. Tomorrow night I'll reload the original Primary. The one still running the old code, to complete the upgrade.

So far so good...