Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11461
Views
50
Helpful
20
Replies

Ask the Expert:Migration Best Practices for Adaptive Security Appliance 8.3/8.4

ciscomoderator
Community Manager
Community Manager

‎09-06-2012 10:50 AM - edited ‎03-11-2019 04:51 PM

Read the bioWith : Praveena Shanubhogue

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Migration Best Practices for Adaptive Security Appliance 8.3/8.4 with Praveena Shanubhogue. Learn about best practices while migrating from version 8.2 or before to 8.3 and beyond and ask questions about the new features. Understand bugs or known issues that one needs to be aware of while migrating from 8.2 to 8.3 and beyond.

Praveena Shanubhogue is an engineer in the Cisco Technical Assistance Center in Bangalore, India, specializing in Cisco VPN and Adaptive Security Appliance (ASA) technologies. He has more than 3 years of experience troubleshooting VPN and ASA products. He holds CCIE certification in Security (#29450).

We encourage you to watch the recently published Community Tech-Talk Blog and Video.

Remember to use the rating system to let Praveena know if you have received an adequate response. 

Praveena might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event.  This event is a continuation of the Facebook Forum and lasts through Sept 19, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Labels:
0 Helpful
20 Replies 20

shine pothen
Level 3
Level 3
In response to Praveena Shanubhogue

‎09-16-2012 01:26 AM

thanks praveen for the inputs

0 Helpful

brobinb
Level 1
Level 1
In response to Praveena Shanubhogue

‎09-17-2012 08:12 PM

Hi Praveena,

I have two stand alone ASA5520s' running on 8.0. Will need to upgrade to 5525-x with 8.3. Do the procedures of manually upgrading PIX with 8.0 to ASA5525-x with 8.3 also apply to 5520? Or there is a easier way to complete the upgrade?

Thanks in advance.

Robin

0 Helpful

Praveena Shanubhogue
Level 1
Level 1
In response to brobinb

‎09-18-2012 05:50 AM

Hey Robin,

All 55xx-X series ASAs can load OS beyond 8.6 only, but they are almost similer to 8.4 when it comes to configuration.

So since you have ASAs as opposed to PIXs, you have two options:

Option#1:

0. backup your ASA config.

1. Upgrade these ASAs to 8.4 when you are about decommission them. And it does not matter if they don't have enough RAM (since they are not going to be operational)

2. Now Back this config and make changes to the interfaces (i.e.only if 5525-x interface mapping changes  compared to 5520)

   - Remove the old 'boot system ..' statement and add thew new 'boot system ..' statement

   - remove the 'Crypto Checksum' part from the end.

2. Load it on ASA5525-x's Flash (asdm/tftp/ftp)

3. on ASA5525-x, replace the startup-config with the PIX's config:

   copy flash:/pix-config.txt start

4. Do NOT execute 'write mem'

5. Reload

Option#2:

Same as option #1, if you choose to skip step #1 in the last option. (i.e. identical with the last PIX to 5525-x migration steps)

Let me know if you have any queries.

-- Praveen

0 Helpful

brobinb
Level 1
Level 1
In response to Praveena Shanubhogue

‎09-18-2012 08:15 AM

Thanks for your reply!

In addition to the upgrade process, if the two 5525-xs' will be running in HA mode (active/standby for instance). Then the process will be as follow?

1. migrate the config of two stand alone 5520s' onto one 5520, build HA pair, then upgrade the primary 5520 from 8.0 to    8.4.

2. Follow the migration process you mention, load the config onto the new 5525-x, upgrade to 8.6, build secondary 5525-x, from where to foam the HA pair.

Will this work or do I miss anything?

Best Regards,

Robin

0 Helpful

Praveena Shanubhogue
Level 1
Level 1
In response to brobinb

‎09-18-2012 08:32 AM

Well with HA in picture, what you have in mind should work just fine.

You could also do this:

1. As far as 5520 is concerned, just get one ASA (that will be converted to HA), and migrate it to 8.4

2. Edit this config in order to get interfaces and boot variable (pointing to 8.6) right (and remove the checksum part (i know i keep repeating this part, but this is absolutely necessary )). And also, for each interfaces append a standby ip address.

3. Load it on 5525-x and reload

4. Make this 5525-x the primary in the HA Pair

5. Add the secondary 5525-x enable failover on this one

6. The second 5525-x should now sync up the config

This way you need to worry about HA config only once (on 5525-x).

If the interface mapping stay the same, i guess you can follow your method, but as you can see above, since the secondary box does not need to be *built* (config sync up happens when you build HA), forming 5520 HA is not necessary

-- Praveen

0 Helpful

brobinb
Level 1
Level 1
In response to Praveena Shanubhogue

‎09-18-2012 09:06 AM

Thanks a lot!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card