Solved: Firewall IOS UpGradation

vivekkumarv · ‎05-15-2013

Hi Team,

I got an assignment from one of the customer.

As per the customer request they would like to upgrade existing firewall ( Active/Standby) ios from 8.2(4) to 9.1.1.

They have two firewal without context and one firewall is acting as active and second one is working as Standby.

What all points i need to take care before upgrading to 9.1.1 ?

Whether IOS will automatically upgrade existing legacy configuration to new syntax ? ( My Answer is yes )

What all issues i may face after IOS upgradation?

Without down time whether i will able to complete IOS upgradation? ( My answer is no because its Major upgrade from 8.X to 9.X).

Also please share your experience.

These are the steps, i am going to follow.

•a. Configuration backup
•b. Download IOS from Cisco portal.
•c. Copies the ASA software to the active unit flash memory.
•d. Copies the software to the standby unit.
•e. Copies the ASDM image to the active unit flash memory.
•f. Copies the ASDM image to the standby unit.
•g. Removes any existing boot image configurations.
•h. Sets the ASA image to boot that newly uploaded IOS.
•i. Sets the ASDM image.
•j. Saves the new settings to the startup configuration.
•k. Reloads the standby unit to boot the new image.
•l. Forces the active unit to fail over to the standby unit.
•m. Reloads the former active unit.

Please let me know if i need to change this flow.

I have uploaded a sample crafted configuration for your reference. ( Partial-Crafted-FakeIpaddress-Passwords are available in this sample configuration)

Thank You.

VKV

Marvin Rhoads · ‎05-15-2013

You can still have zero downtime upgrade across major releases. Other than that, your procedure is generally correct.

One important step to add is to check and understand the migrated NAT rules after step k above. There will be a file created on disk0: explaining what rules were migrated and any exceptions generated. Those are typically the biggest source of concern during an upgrade to 8.3+.

After you have successfully upgraded I would also encourage you to look at moving to AnyConnect 3.1 as a separate activity. Your configurations currently include the older and less capable AnyConnect 2.5.

I would also first remove all of the fsck* files on both units. Those are the results of non-graceful reloads and not necessary for system operation. After everything is verified running fine on the upgraded pair I would go back later and delete the old ASA and ASDM images as well.

View solution in original post

patoberli · ‎05-15-2013

We recently did something similar, but from 8.2 to 8.3.

What it meant for us, completely redo all our NAT rules, the rest seems fine.

Regarding AnyConnect 3.1, it's not really a must to change. It offers some new features, but also a very annoying caveat, it starts automatically with Login into Windows. That means you always have AnyConnect running in the background and you can only disable this with a little registry hack to get the old behaviour back.

Also check the changed RAM and Flash requirements for ASA 8.3 and newer!

[Edit]

Just checked your attachement, as you use a 5585-X the memory requirements are fine.

You might want to take 9.1.2 though, it was released today and fixes a ton of bugs.