Dear friends, good afternoon!

Today I faced with problem after I have done upgrade from 8.6.1 to 9.4.1 on Cisco ASA 5525x with IPS software in Active/Standby configuration.

One of my customer asked me to upgrade to verion 9.4.1 his Active/Standby cisco ASAs. I read release notes for this version and started with upgrade. As mentioned in release notes I did upgrade to version 9.0.4 first. Upgrade finished without any problems! All interface were in monitoring state, failover was in perfect state, no errors no issues, everything was as should be. Then started with upgrade to required version  9.4.1. I did everything as before, download image and ASDM, changed boot config, and did  failover reload-standby. 

After standby unit rebooted I  expected standby ready state. But state of standby unit was - Other host: Secondary - Failed

ASA-Firewall# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failoverlink GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 216 maximum
failover replication http
Version: Ours 9.0(4), Mate 9.4(1)
Last Failover at: 14:42:17 AZDT Jun 5 2015
        This host: Primary - Active
                Active time: 3542 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.0(4)) status (Up Sys)
                  Interface inside (10.34.10.254): Normal (Waiting)
                  Interface outside (xx.132.xx.xxx): Normal (Waiting)
                  Interface management (10.34.7.252): Normal (Waiting)
                slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
                  IPS, 7.1(9)E4, Up
        Other host: Secondary - Failed
                Active time: 0 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.4(1)) status (Up Sys)
                  Interface inside (10.34.10.253): Unknown (Waiting)
                  Interface outside (xx.132.xx.xxx): Unknown (Waiting)
                  Interface management (10.34.7.251): Unknown (Waiting)
                slot 1: UNKNOWN hw/sw rev (N/A/) status (Unresponsive)

I did investigtion, checked everything (e.g. interface, config, show commands and so on). I was confused how it can be, I did upgrade till version 9.0.4 for 5 minutes but on  version 9.4.1 I stuck. After more deep investigation I think I found the reason of this problem. I connected to active and standby  unit and execute comand: 

On Standby ASA-Firewall# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525            FCH18037CSR
 ips ASA 5525-X IPS Security Services Processor   ASA5525-IPS        FCH18037CSR
cxsc Unknown                                      N/A                FCH18037CSR
 sfr Unknown                                      N/A                FCH18037CSR

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   0 18e7.282e.8bbd to 18e7.282e.8bc6  1.0          2.1(9)8      9.4(1)
 ips 18e7.282e.8bbb to 18e7.282e.8bbb  N/A          N/A          7.1(9)E4
cxsc 18e7.282e.8bbb to 18e7.282e.8bbb  N/A          N/A
 sfr 18e7.282e.8bbb to 18e7.282e.8bbb  N/A          N/A

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 ips IPS                            Up               7.1(9)E4
 sfr Unknown                        No Image Present Not Applicable

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable
 ips Up                 Up
cxsc Unresponsive       Not Applicable        Not powered on completely
 sfr Unresponsive       Not Applicable

Mod  License Name   License Status  Time Remaining
---- -------------- --------------- ---------------
 ips IPS Module     Enabled         perpetual

AND THE SAME ON ACTIVE

On Active ASA-Firewall# show module

Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
  0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525            FCH17517QRK
ips ASA 5525-X IPS Security Services Processor   ASA5525-IPS        FCH17517QRK

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
--- --------------------------------- ------------ ------------ ---------------
  0 3c08.f6d9.9278 to 3c08.f6d9.9281  1.0          2.1(9)8      9.0(4)
ips 3c08.f6d9.9276 to 3c08.f6d9.9276  N/A          N/A          7.1(9)E4

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips IPS                            Up               7.1(9)E4

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable
ips Up                 Up

Mod License Name   License Status  Time Remaining
--- -------------- --------------- ---------------
ips IPS Module     Enabled         perpetual

We know that ASA failover algorithm do a lot of ckecks and one of this check is to monitor modules. As we can see on the output after upgrade to version 9.4.1 NEW module appears on standby unit: cxsc  and  sfr  as we can see. On Active unit there are no such modules. May be standby unit cant check the state, or Active unit cant interpret standby unit messages, I dont know realy (

I have questions:

1) Why this new modues appeared, for what for, how they works...?

2) Can I upgrade my Cisco ASAs till that version?

3) What I shuld do to upgrdade? I need this upgrade very much, because I need Policy Based Routing functionality?

4) Can I do upgrade without interruption  ?

Dear friends, collegues I am asking you to help me )

Best Regards,

Max