cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11130
Views
0
Helpful
4
Replies

ASA Upgrade Path

Jeffrey Pouzar
Level 1
Level 1

I'm planning a firewall upgrade to two ASA5555-x appliances in HA failover from 9.4(4)5 to 9.6(3)1.  Traditionally, a direct upgrade like this would break zero downtime functionality, as you were required to upgrade between adjacent releases when changing minor release numbers (example = 9.4 > 9.5 > 9.6).

 

I read through the release notes for 9.6 several times, and they do not indicate this is a requirement anymore.  TAC actually told me I could upgrade directly without impact to the environment (zero downtime upgrade).  But I'm not so sure. 

 

Can you upgrade directly from 9.4.x to 9.6.x and maintain zero downtime upgrade functionality or not?

 

This seems like a totally rudimentary question but I have to have some peace of mind before I proceed.  Can anyone answer this question for me?  Thanks in advance.

4 Replies 4

Rich Uline
Level 1
Level 1

Jeffrey,

 


 TAC actually told me I could upgrade directly without impact to the environment (zero downtime upgrade).

Cisco TAC will know better than anyone here.

 

 

Rahul Govindan
VIP Alumni
VIP Alumni
Yes you can upgrade from 9.4 to 9.6 directly without downtime if you have a High availability pair. Only if you have a version below 9.1(2), would you need to have another hop for your upgrade. The upgrade path is mentioned in the release notes below:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/release/notes/asarn96.html#ID-2152-0000000a

Hi Guys,

Need your suggestion for upgrading Cisco ASA 5515 firewall ios 9.4(4)36 to latest version.
Please suggest me the up-gradation path.

Thanks in advance.

Sankar

Yes you can perform zero-downtime upgrades in failover pairs.

The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. In order to ensure long-term compatibility and stability, Cisco recommends that you upgrade both units to the same version as soon as possible.
There are 3 types of upgrades available. They are as follows:
1. Maintenance Release—You can upgrade from any maintenance release to any other maintenance release within a minor release. For example, you can upgrade from 7.0(1) to 7.0(4) without first installing the maintenance releases in between.
2. Minor Release—You can upgrade from a minor release to the next minor release. You cannot skip a minor release. For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0 directly to 7.2 is not supported for zero-downtime upgrades; you must first upgrade to 7.1
3. Major Release—You can upgrade from the last minor release of the previous version to the next major release. For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.

Upgrade an Active/Standby Failover Configuration
Complete these steps in order to upgrade two units in an Active/Standby failover configuration:
1. Download the new software to both units, and specify the new image to load with the boot system command.
Refer to Upgrade a Software Image and ASDM Image using CLI for more information.
2. Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:
3. active#failover reload-standby
4. When the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.
5. active#no failover active
Note: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.
6. Reload the former active unit (now the new standby unit) by entering the reload command:
7. newstandby#reload
8. When the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:
9. newstandby#failover active
This completes the process of upgrading an Active/Standby Failover pair.

 

Upgrade an Active/Active Failover Configuration
Complete these steps in order to upgrade two units in an Active/Active failover configuration:
1. Download the new software to both units, and specify the new image to load with the boot system command.
Refer to Upgrade a Software Image and ASDM Image using CLI for more information.
2. Make both failover groups active on the primary unit by entering the failover active command in the system execution space of the primary unit:
3. primary#failover active
4. Reload the secondary unit to boot the new image by entering the failover reload-standby command in the system execution space of the primary unit:
5. primary#failover reload-standby
6. When the secondary unit has finished reloading, and both failover groups are in the Standby Ready state on that unit, make both failover groups active on the secondary unit using the no failover active command in the system execution space of the primary unit:
7. primary#no failover active
Note: Use the show failover command in order to verify that both failover groups are in the Standby Ready state on the secondary unit.
8. Make sure both failover groups are in the Standby Ready state on the primary unit, and then reload the primary unit using the reload command:
9. primary#reload
10. If the failover groups are configured with the preempt command, they will automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on their designated units using the failover active group command.

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Review Cisco Networking for a $25 gift card