Firepower module Re-image (ASA5545)

MohamedSamer47595 · ‎11-25-2020

I have 2 ASA5545 in HA cluster with firepower modules, both firepower modules are unresponsive.

the question is:

if we re-imaged one of the firepower modules, will this cause a failover, and this ASA unit will be active?

or the module re-image is not related to the ASA active-standby status and it will not affect it?

thanks

mikiNet · ‎11-25-2020

Hi,

Please look on this document:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

You find all procedures which help you. I've done this several times with this procedure and everything worked

mikiNet · ‎11-25-2020

Answer for other question:

ASA and Firepower Service work independently, so If you do reimage Firepower it not cause failover, but remember - on ASA you have configure sfr mode:

fail-open or fail-close - if you have fail-open then ASA still process the packet and not affect it, but if you have fail-close the ASA not proccess at all

Shuhaib Thottathil · ‎11-25-2020

Hi Mohamed,

If you are planning to do a reimage of the firepower module installed in the ASA you do not like to have any failover incident during the reimage process it's better to stop the monitoring of the service module.

Since both of them are in an unresponsive state both ASA units will consider them as healthy. Now let's say you do reimage of firepower in the standby unit first, now the moment Firepower comes up on that unit ASA will failover to the Standby unit since the current standby is healthier than the Active unit.

run this command before you start the reimage. Then you can enable it back once the reimage is completed.

no monitor-interface service-module

Thanks

Shuhaib