cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1706
Views
15
Helpful
6
Replies

Cisco ASA 5525 upgrade ?

kalen4101
Level 1
Level 1

 Good day all,

  Upgrading our 5525, one is active, other is standby. Upgrading the standby first.

 When I say upgrade that's the IOS as well as ASDM. Then active will be done at a later date.

 

 So as to the GUI(ASDM), we log into it in the active ASA and then add the IPs for the standby. If I update the ASDM on the standby will that cause and issue on the GUI?

 

 Are there other concerns I should address?

6 Replies 6

I see you want to upgrade the stanby unit sofware and the ASDM and later some day you will upgrade the Active (Primary) unit. That fine you can do this. however cisco best practice is to upgrade the both unit in one change windows instead of upgrade 1 today and after 2/3 days the other unit.

 

anyways coming to you question. yes this upgrade is fine however, you need to see the software matrix comptability if the ASDM is support on your old unit (Primary Active) and the  new image/ASDM on (Secondary Standby). as you have not mentioned what is your current software and what is the ASDM image in that case check this link

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

 

 

 

 

 

So as to the GUI(ASDM), we log into it in the active ASA and then add the IPs for the standby. If I update the ASDM on the standby will that cause and issue on the GUI?

as long as the software matrix version support your current ASDM image and new version imge of software/ASDM you are fine.

 

 

Are there other concerns I should address?

nope. the only this you will notice when active stanby deployment with different version. on ssh/console you will get a notice that you are running a different version of software on these software.

please do not forget to rate.

Marvin Rhoads
Hall of Fame
Hall of Fame

I would add some additional information on updating ASDM on only one unit of an active/standby HA pair. In general, it's not a good idea and not recommended. There are no advantages and there are several disadvantages.

When we update ASDM, there are two components:

First, we upload the new image (asdmxxx.bin) on the ASA's compact flash storage (disk0:). The best practice is to always keep these in sync as it is a key tenet of failover operations that all required files are present on both units.

Second, we update the "asdm image" line in the shared and synchronized running-config that tells both ASAs what image to use for ASDM. Because the config is always synced, having the newer image on the standby member will, at best, do nothing (assuming you've not deleted the old image). At worst, it will cause ASDM to fail if there is a failover event and the config references an image that is not present on disk.

ASA failover and upgrade for HA pairs is a tried an true process that works quite well and has been in place for many years. Intentionally trying to upgrade while not following the documented procedure is introducing unnecessary complexity and risk to your system.

kalen4101
Level 1
Level 1

 Looking at the instructions

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_F0701C3A86854801958757CEF1E4D999

 

 I see it says to load the Active and standby from the same source. Now I was wondering if they are talking from the same location. What I mean is I have loaded the IOS image and the ADSM image to the directory "disk0:/" on each of the devices.

 From the GUI I was just going to direct the upgrade to the files I have on disk0. Is that an issue?

Yes - just indicate in the GUI to use the file on disk0:. That's why it's important to have the same ASDM and ASA image files on disk0 of both units.

kalen4101
Level 1
Level 1

One last question. I understand the ADSM lives on the switches, but to launch the GUI we have an icon(shortcut) on our jumpboxes. 

 Do I need to replace that for the new adsm update?

 Where would I get the shortcut from?

Marvin Rhoads
Hall of Fame
Hall of Fame

It checks the ASA every time you log in and will update automatically when it is launched next.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: