cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

260
Views
5
Helpful
2
Replies
Highlighted
Beginner

Cisco ASA 5525 upgrade ?

 Good day all,

  Upgrading our 5525, one is active, other is standby. Upgrading the standby first.

 When I say upgrade that's the IOS as well as ASDM. Then active will be done at a later date.

 

 So as to the GUI(ASDM), we log into it in the active ASA and then add the IPs for the standby. If I update the ASDM on the standby will that cause and issue on the GUI?

 

 Are there other concerns I should address?

2 REPLIES 2
Highlighted
VIP Advocate

I see you want to upgrade the stanby unit sofware and the ASDM and later some day you will upgrade the Active (Primary) unit. That fine you can do this. however cisco best practice is to upgrade the both unit in one change windows instead of upgrade 1 today and after 2/3 days the other unit.

 

anyways coming to you question. yes this upgrade is fine however, you need to see the software matrix comptability if the ASDM is support on your old unit (Primary Active) and the  new image/ASDM on (Secondary Standby). as you have not mentioned what is your current software and what is the ASDM image in that case check this link

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

 

 

 

 

 

So as to the GUI(ASDM), we log into it in the active ASA and then add the IPs for the standby. If I update the ASDM on the standby will that cause and issue on the GUI?

as long as the software matrix version support your current ASDM image and new version imge of software/ASDM you are fine.

 

 

Are there other concerns I should address?

nope. the only this you will notice when active stanby deployment with different version. on ssh/console you will get a notice that you are running a different version of software on these software.

please do not forget to rate.
Highlighted
Hall of Fame Guru

I would add some additional information on updating ASDM on only one unit of an active/standby HA pair. In general, it's not a good idea and not recommended. There are no advantages and there are several disadvantages.

When we update ASDM, there are two components:

First, we upload the new image (asdmxxx.bin) on the ASA's compact flash storage (disk0:). The best practice is to always keep these in sync as it is a key tenet of failover operations that all required files are present on both units.

Second, we update the "asdm image" line in the shared and synchronized running-config that tells both ASAs what image to use for ASDM. Because the config is always synced, having the newer image on the standby member will, at best, do nothing (assuming you've not deleted the old image). At worst, it will cause ASDM to fail if there is a failover event and the config references an image that is not present on disk.

ASA failover and upgrade for HA pairs is a tried an true process that works quite well and has been in place for many years. Intentionally trying to upgrade while not following the documented procedure is introducing unnecessary complexity and risk to your system.

Content for Community-Ad