Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
200
Views
0
Helpful
1
Replies

Firewall Upgrade from 8.4.(4)5 to 9.1(7)4 - HA Setup - Multiple Mode

Alexander Moorthy
Level 1
Level 1

‎08-18-2016 10:37 PM - edited ‎03-12-2019 01:09 AM

Hi,

We have a Cisco ASA firewall 5580 running with 12 context. There is a plan to upgrade the devices to 9.1(7)4 version ( the highest supported version on this model). There are 2 plans for us to decide on.

Plan 1

1.Upload the image 9.0(4) to the Secondary device (standby) & upgrade to 9.0(4) from 8.4(4)5 by changing the bootvar & reload.

2.Upload the image 9.1(7)4 to the Secondary device (standby) & upgrade to 9.1(7)4 from 9.0(4) by changing the bootvar & reload.

Once the secondary device is successfully upgraded to 9.1(7)4 , repeat the same above steps in Primary device after making the secondary device active.

Plan 2

1.Upload the image 9.0(4) to the Secondary device & upgrade to 9.0(4) from 8.4(4)5 by changing the bootvar & reload.

2. Make Secondary device as Active

3.Upload the image 9.0(4) to the Primary device & upgrade to 9.0(4) from 8.4(4)5 by changing the bootvar & reload.

4.Upload the image 9.1(7)4 to the Primary device & upgrade to 9.1(7)4 from 9.0(4) by changing the bootvar & reload.

5. Make Primary device as Active

6.Upload the image 9.1(7)4 to the Secondary device & upgrade to 9.1(7)4 from 9.0(4) by changing the bootvar & reload.

Could someone suggest which is the best recommended plan  ( 1 or 2 ) that will work perfectly and there is no unforeseen issues.

I have a gut feeling there may be some failover issue in the plan 1.  Looking for an immediate answer.

Labels:
0 Helpful
1 Reply 1

kkhapeka
Cisco Employee
Cisco Employee

‎08-19-2016 01:09 PM

Please follow Plan-2, as it is always easy to fall back to old software version in case of any unforseen issues.

When upgrading from 8.4.x to 9.1.x, it doesn't include any major changes in configuration commands the way it happened in pre-8.3 and post-8.3, but still it is always advisable to upgrade the HA pair to next software version and monitor the network for some time.

In your case, you have to reboot the device twice, So after first upgrade you can check the basic connectivity in the network and if everything works fine then you can proceed ahead with the next software upgrade.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card