Solved: Re: ASA zero downtime upgrade

Edwin Summers · ‎02-05-2013

I have a pair of ASA-5585-X in an active-standby failover configuration. Currently they are running software version 8.4.3. I'm looking to upgrade to 9.1.1. From the release notes I understand that in order to perform a "zero downtime" upgrade I need to upgrade from the last minor release in a major release to the next major release. Based on this, my understanding is that the upgrade would require three steps: Version 8.4.5, 9.0.1, 9.1.1. Is this correct?

Is it possible to upgrade directly from 8.4.3 to 9.1.1, and if so, what are the operational considerations of this upgrade? My reading of the release notes didn't indicate any special procedures that would need to be followed other than performing the upgrade steps. I assume there may be a period of service interruption, but I did not see any special requirements for performing a direct upgrade.

Any information on the perils of a direct upgrade are appreciated. Operational experience (such as "it set my network on fire and killed three kittens") greatly appreciated. Save the kittens!

Thanks, -Ed

Marvin Rhoads · ‎02-06-2013

You can do the upgrade directly from 8.4(3) to 9.1(1). Yes the release notes recommend going via 8.4(5) and 9.0(1) but that's not really necessary.

Standard procedure applies. In a nutshell:

load the image on both units' disk0:
change the boot variable
save the config with that change
from the active unit, "failover reload-standby"
wait for successful reload and verify configuration is synced OK. You should expect a message that mate software version is different.
"no failover active" on active unit
log into newly active unit and "failover reload-standby"
wait for succeful reload and verify configuration is synced OK. Both units are now on 9.1(1).

Optionally change your primary unit back to active if that bothers you. I like to delete the old image once things are looking OK after a couple of days. You should also update your ASDM image (and the variable pointing to it) while you're in there.

No kittens are harmed in this process.

View solution in original post

Marvin Rhoads · ‎02-06-2013

You can do the upgrade directly from 8.4(3) to 9.1(1). Yes the release notes recommend going via 8.4(5) and 9.0(1) but that's not really necessary.

Standard procedure applies. In a nutshell:

load the image on both units' disk0:
change the boot variable
save the config with that change
from the active unit, "failover reload-standby"
wait for successful reload and verify configuration is synced OK. You should expect a message that mate software version is different.
"no failover active" on active unit
log into newly active unit and "failover reload-standby"
wait for succeful reload and verify configuration is synced OK. Both units are now on 9.1(1).

Optionally change your primary unit back to active if that bothers you. I like to delete the old image once things are looking OK after a couple of days. You should also update your ASDM image (and the variable pointing to it) while you're in there.

No kittens are harmed in this process.

Edwin Summers · ‎02-06-2013

Appreciate the response! And also glad to see someone else that pays attention to proper system hygiene (removing old image after stabilization).

Best regards,

Ed

snimmaga · ‎05-01-2013

Good detail. A much simpler way to upgrade would be to use Cisco Security Manager which introduced "image upgrade" for ASA with its 4.3 release. Note that "no downtime upgrade" is supported for ASA failover pairs

Mukesh Kumar · ‎02-14-2015

Hello Marvin

Is there any way to upgrade from 8.2 to 9.1.5 with zero downtime?

Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services

Marvin Rhoads · ‎02-15-2015

As long as you have an HA pair, yes.

You have to do in in at least two separate upgrades - first go to ASA 8.4(6) and then 9.1(5) as noted in the Release Notes.

johnlloyd_13 · ‎02-16-2017

hi marvin,

i'm about to do an ASA HA pair zero downtime upgrade and your post is very insightful!

referring to the steps you gave (particular step #1), do you TFTP the image from active ASA to standby ASA using the command:

active# failover exec mate copy /noconfirm tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin

i was initially thinking to SSH to the internal IP of the standby ASA and issue the copy tftp command from there. is there any difference between the two approach? or you get same end result with any method?

refer to link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/upgrade/upgrade93.html#73860

Marvin Rhoads · ‎02-17-2017

John,

I prefer to copy the image from an external repository like my laptop.

I've never tried tftp FROM the active ASA as I don't think the ASA will act as a tftp (or http or ftp or scp) server. In fact I just tried one in the lab it it does not.

So - yes - ssh directly to the standby ASA and initiate a copy (I prefer ftp) from there. The source of the image should be a tftp (or ftp etc.) server.

johnlloyd_13 · ‎02-17-2017

marvin +5

In fact I just tried one in the lab it it does not

what do you mean by this? did you try the said command and it did NOT work?

active# failover exec mate copy /noconfirm tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin

Marvin Rhoads · ‎02-17-2017

John,

I tried to copy a file to a switch from an ASA using tftp.

I picked a small file I knew to be there (my profile.xml in this case).

The ASA did not respond to the tftp request initiated from the switch.

johnlloyd_13 · ‎02-19-2017

hi marvin,

The ASA did not respond to the tftp request initiated from the switch.

did you TFTP the image from the active ASA (not a switch or PC) to the standby ASA using the command failover exec command?

ACTIVE-ASA-FW# failover exec mate copy /noconfirm tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin

Marvin Rhoads · ‎02-19-2017

No. I don't believe that's a supported operation.

johnlloyd_13 · ‎02-19-2017

hi marvin,

i think i understand now the cisco doc and the said command.

Step 2 Copy the ASA software to the active unit flash memory:

copy tftp://server[/path]/asa_image_name {disk0:/ | disk1:/}[path/]asa_image_name

Example:

active# copy tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin

For other methods than TFTP, see the copy command.

Step 3 Copy the software to the standby unit; be sure to specify the same path as for the active unit:

failover exec mate copy /noconfirm tftp://server[/path]/filename {disk0:/ | disk1:/}[path/]filename

Example:

active# failover exec mate copy /noconfirm tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin

i believe both active and standby gets the image from a remote TFTP server. the command just allows executing commands from active asa without the need to jump or SSH to the standby asa.

ciscoasa/pri/act/admin# failover ?

exec Execute command on the designated unit
ciscoasa/pri/act/admin# failover exec ?

active Execute command on the active unit
mate Execute command on the peer unit
standby Execute command on the standby unit
ciscoasa/pri/act/admin# failover exec mate ?

LINE Command String

Marvin Rhoads · ‎02-19-2017

Correct - both the active and standby units are tftp clients only.

The tftp server is off on an external computer.

MILTON MENEGHINI · ‎10-28-2021

Marvin, do you think that if I follow those steps but skip the last 2 steps ( log into newly active unit and "failover reload-standby" and wait for succeful reload and verify configuration is synced OK. Both units are now on 9.1(1).), leaving the Active ASA in 9.1(1) and Standby ASA in 8.4(3) can generate problems with NAT flows, considering both units on?