05-15-2013 01:07 AM - edited 03-11-2019 06:43 PM
Hi Team,
I got an assignment from one of the customer.
As per the customer request they would like to upgrade existing firewall ( Active/Standby) ios from 8.2(4) to 9.1.1.
They have two firewal without context and one firewall is acting as active and second one is working as Standby.
What all points i need to take care before upgrading to 9.1.1 ?
Whether IOS will automatically upgrade existing legacy configuration to new syntax ? ( My Answer is yes )
What all issues i may face after IOS upgradation?
Without down time whether i will able to complete IOS upgradation? ( My answer is no because its Major upgrade from 8.X to 9.X).
Also please share your experience.
These are the steps, i am going to follow.
Please let me know if i need to change this flow.
I have uploaded a sample crafted configuration for your reference. ( Partial-Crafted-FakeIpaddress-Passwords are available in this sample configuration)
Thank You.
VKV
Solved! Go to Solution.
05-15-2013 06:43 AM
You can still have zero downtime upgrade across major releases. Other than that, your procedure is generally correct.
One important step to add is to check and understand the migrated NAT rules after step k above. There will be a file created on disk0: explaining what rules were migrated and any exceptions generated. Those are typically the biggest source of concern during an upgrade to 8.3+.
After you have successfully upgraded I would also encourage you to look at moving to AnyConnect 3.1 as a separate activity. Your configurations currently include the older and less capable AnyConnect 2.5.
I would also first remove all of the fsck* files on both units. Those are the results of non-graceful reloads and not necessary for system operation. After everything is verified running fine on the upgraded pair I would go back later and delete the old ASA and ASDM images as well.
05-15-2013 06:53 AM
We recently did something similar, but from 8.2 to 8.3.
What it meant for us, completely redo all our NAT rules, the rest seems fine.
Regarding AnyConnect 3.1, it's not really a must to change. It offers some new features, but also a very annoying caveat, it starts automatically with Login into Windows. That means you always have AnyConnect running in the background and you can only disable this with a little registry hack to get the old behaviour back.
Also check the changed RAM and Flash requirements for ASA 8.3 and newer!
[Edit]
Just checked your attachement, as you use a 5585-X the memory requirements are fine.
You might want to take 9.1.2 though, it was released today and fixes a ton of bugs.
05-15-2013 06:43 AM
You can still have zero downtime upgrade across major releases. Other than that, your procedure is generally correct.
One important step to add is to check and understand the migrated NAT rules after step k above. There will be a file created on disk0: explaining what rules were migrated and any exceptions generated. Those are typically the biggest source of concern during an upgrade to 8.3+.
After you have successfully upgraded I would also encourage you to look at moving to AnyConnect 3.1 as a separate activity. Your configurations currently include the older and less capable AnyConnect 2.5.
I would also first remove all of the fsck* files on both units. Those are the results of non-graceful reloads and not necessary for system operation. After everything is verified running fine on the upgraded pair I would go back later and delete the old ASA and ASDM images as well.
05-15-2013 06:53 AM
We recently did something similar, but from 8.2 to 8.3.
What it meant for us, completely redo all our NAT rules, the rest seems fine.
Regarding AnyConnect 3.1, it's not really a must to change. It offers some new features, but also a very annoying caveat, it starts automatically with Login into Windows. That means you always have AnyConnect running in the background and you can only disable this with a little registry hack to get the old behaviour back.
Also check the changed RAM and Flash requirements for ASA 8.3 and newer!
[Edit]
Just checked your attachement, as you use a 5585-X the memory requirements are fine.
You might want to take 9.1.2 though, it was released today and fixes a ton of bugs.
05-15-2013 07:04 AM
Patoberli - thanks for the heads up on 9.1(2). I hadn't noticed that yet. Lots of good stuff there.
You're also right re checking memory as a general step . I had already noticed the OP was talking about a 5585 though which is a memory-rich platform already.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide