02-05-2013 05:37 AM - edited 02-21-2020 04:49 AM
I have a pair of ASA-5585-X in an active-standby failover configuration. Currently they are running software version 8.4.3. I'm looking to upgrade to 9.1.1. From the release notes I understand that in order to perform a "zero downtime" upgrade I need to upgrade from the last minor release in a major release to the next major release. Based on this, my understanding is that the upgrade would require three steps: Version 8.4.5, 9.0.1, 9.1.1. Is this correct?
Is it possible to upgrade directly from 8.4.3 to 9.1.1, and if so, what are the operational considerations of this upgrade? My reading of the release notes didn't indicate any special procedures that would need to be followed other than performing the upgrade steps. I assume there may be a period of service interruption, but I did not see any special requirements for performing a direct upgrade.
Any information on the perils of a direct upgrade are appreciated. Operational experience (such as "it set my network on fire and killed three kittens") greatly appreciated. Save the kittens!
Thanks, -Ed
Solved! Go to Solution.
02-06-2013 04:51 AM
You can do the upgrade directly from 8.4(3) to 9.1(1). Yes the release notes recommend going via 8.4(5) and 9.0(1) but that's not really necessary.
Standard procedure applies. In a nutshell:
Optionally change your primary unit back to active if that bothers you. I like to delete the old image once things are looking OK after a couple of days. You should also update your ASDM image (and the variable pointing to it) while you're in there.
No kittens are harmed in this process.
02-06-2013 04:51 AM
You can do the upgrade directly from 8.4(3) to 9.1(1). Yes the release notes recommend going via 8.4(5) and 9.0(1) but that's not really necessary.
Standard procedure applies. In a nutshell:
Optionally change your primary unit back to active if that bothers you. I like to delete the old image once things are looking OK after a couple of days. You should also update your ASDM image (and the variable pointing to it) while you're in there.
No kittens are harmed in this process.
02-06-2013 04:51 AM
Appreciate the response! And also glad to see someone else that pays attention to proper system hygiene (removing old image after stabilization).
Best regards,
Ed
05-01-2013 12:48 AM
Good detail. A much simpler way to upgrade would be to use Cisco Security Manager which introduced "image upgrade" for ASA with its 4.3 release. Note that "no downtime upgrade" is supported for ASA failover pairs
02-14-2015 03:14 AM
Hello Marvin
Is there any way to upgrade from 8.2 to 9.1.5 with zero downtime?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services
02-15-2015 10:03 AM
As long as you have an HA pair, yes.
You have to do in in at least two separate upgrades - first go to ASA 8.4(6) and then 9.1(5) as noted in the Release Notes.
02-16-2017 11:08 PM
hi marvin,
i'm about to do an ASA HA pair zero downtime upgrade and your post is very insightful!
referring to the steps you gave (particular step #1), do you TFTP the image from active ASA to standby ASA using the command:
active# failover exec mate copy /noconfirm tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin
i was initially thinking to SSH to the internal IP of the standby ASA and issue the copy tftp command from there. is there any difference between the two approach? or you get same end result with any method?
refer to link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/upgrade/upgrade93.html#73860
02-17-2017 12:29 AM
John,
I prefer to copy the image from an external repository like my laptop.
I've never tried tftp FROM the active ASA as I don't think the ASA will act as a tftp (or http or ftp or scp) server. In fact I just tried one in the lab it it does not.
So - yes - ssh directly to the standby ASA and initiate a copy (I prefer ftp) from there. The source of the image should be a tftp (or ftp etc.) server.
02-17-2017 12:29 AM
marvin +5
In fact I just tried one in the lab it it does not
what do you mean by this? did you try the said command and it did NOT work?
active# failover exec mate copy /noconfirm tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin
02-17-2017 01:20 AM
John,
I tried to copy a file to a switch from an ASA using tftp.
I picked a small file I knew to be there (my profile.xml in this case).
The ASA did not respond to the tftp request initiated from the switch.
02-19-2017 08:00 PM
hi marvin,
The ASA did not respond to the tftp request initiated from the switch.
did you TFTP the image from the active ASA (not a switch or PC) to the standby ASA using the command failover exec command?
ACTIVE-ASA-FW# failover exec mate copy /noconfirm tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin
02-19-2017 08:12 PM
No. I don't believe that's a supported operation.
02-19-2017 08:20 PM
hi marvin,
i think i understand now the cisco doc and the said command.
Step 2 Copy the ASA software to the active unit flash memory:
For other methods than TFTP, see the copy command.
Step 3 Copy the software to the standby unit; be sure to specify the same path as for the active unit:
i believe both active and standby gets the image from a remote TFTP server. the command just allows executing commands from active asa without the need to jump or SSH to the standby asa.
ciscoasa/pri/act/admin# failover ?
exec Execute command on the designated unit
ciscoasa/pri/act/admin# failover exec ?
active Execute command on the active unit
mate Execute command on the peer unit
standby Execute command on the standby unit
ciscoasa/pri/act/admin# failover exec mate ?
LINE Command String
02-19-2017 08:27 PM
Correct - both the active and standby units are tftp clients only.
The tftp server is off on an external computer.
10-28-2021 07:14 AM
Marvin, do you think that if I follow those steps but skip the last 2 steps ( log into newly active unit and "failover reload-standby" and wait for succeful reload and verify configuration is synced OK. Both units are now on 9.1(1).), leaving the Active ASA in 9.1(1) and Standby ASA in 8.4(3) can generate problems with NAT flows, considering both units on?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide