Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1123
Views
10
Helpful
2
Replies

ASA5555-X Version Upgrade - State Table question

mimperiale
Level 1
Level 1

‎01-12-2021 09:26 AM

I have a pair of 5555-X ASA running 9.3(1) that I plan to upgrade to the version 9.14(1.30).  I am planning this as an outage to services that traverse the firewall but am wondering what the true impact will be.  Since I have two in an HA pair (active/standby) I plan to upgrade the SW on the standby appliance, the after it boots up on new version make the newly upgraded FW active and upgrade the primary FW.  

 

My question is will the state table sync from the 9.3 firewall to the 9.14 firewall.  I suspect it will but can not find anything to tell me for certain.  My goal is to be able to communicate to the application owners that have traffic that traverse this HA pair whether thier path will be lost and applications will alarm.  If the state table move from the 9.3 to th9.14 I suspect there will be no outage felt but if not then some aps may be forced to reconnect due to lost state on the firewall.

 

Thanks

 

0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-12-2021 09:45 AM

Connection state is preserved across an upgrade of an ASA HA pair (assuming you follow the Cisco guidelines which you summarized accurately in your post) if there is a state interface configured and working.

Most applications recover immediately even without a state interface since tcp takes care of things before it reaches the point of affecting the application.

Marius Gunnerud
VIP
VIP

‎01-12-2021 12:08 PM

Just to add to what Marvin has already said.  HTTP replication is not enabled by default, but if you have followed guidelines and best practice then this should already be enabled.

The recommended steps to upgrade are to:

1. failover so that secondary is the active ASA

2. upgrade the primary(standby) ASA

3. verify that the ASA has come up and is running as expected

4. failover from secondary(active) to primary(standby)

5. verify that traffic is passing through the primary(active) ASA successfully

6. upgrade secondary(standby)

7. verify that standby comes up and is running as expected

8. verify failover is OK (show failover)

 

I have done this upgrade countless times and have never had any outage during the upgrade.  But even though I do not expect to have an outage, I always perform the upgrade in a service window.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card