Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1050
Views
0
Helpful
2
Replies

HA 5525X IPS/IDS upgrade to Firepower, no downtime?

mozmorris1974
Level 1
Level 1

‎07-25-2016 07:12 AM - edited ‎03-12-2019 06:05 AM

Can an upgrade from IDS/IPS be performed with no downtime when there are 2 5525X in HA?

From looking at articles I was planning the following action list but as we have no spare equipment cant practise offline.

5525X are active/standby HA

From the common ASDM Service Policy Rules make a note and remove any rule actions that put traffic to the IPS  vs0

Standby, unit B

  1. Hot insert the SSD
  2. from the cli of the Standby disable and uninstall the IPS module
  3. reboot/reload the Standby
  4. install the firepower module

Configure in firesight

LIVE, Unit A

  1. perform a manual failover of the firewall to Unit B
  2. Hot insert the SSD
  3. from the cli of the Unit A disable and uninstall the IPS module
  4. reboot/reload Unit A
  5. install the firepower module

configure in firesight

From the common ASDM Service update the rules to point traffic to the sfr module from the notes made in the first task.

Cheers

Mike

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-26-2016 07:33 PM

Hot insertion of the SSD is not supported under any scenario. It needs to be in place during appliance boot for it to be recognized and then memory and CPUs are dynamically reserved for the software module.

You're best off starting by upgrading base ASA software to the current versions (9.3(1) or later - 9.4(2.11) is the current recommended release unless you need a feature only available in later releases) which allows you to not monitor module status for failover state determination. "no monitor-interface service-module"

If you have an HA pair with legacy IPS module and no SSD, you should remove the current service policy directing traffic to the IPS - correct.

Then power down the standby unit and install the SSD.

When you power it back on, the primary may complain that the mate is not ready due to non-matching hardware. Never mind that and force failover. Now repeat on the Primary which is newly in Standby state.

Install FirePOWER module on both units. Manage them in FMC and update to the latest patch and deploy your policies. Finally create the ASA MPF rules to direct traffic into them. 

0 Helpful

mozmorris1974
Level 1
Level 1
In response to Marvin Rhoads

‎07-28-2016 03:56 AM

Thankyou for the information Marvin also apriciated with your response, we are on 9.4(2).

I will use your instruction, the "scary" part to me would be Never mind that and force failover

"When you power it back on, the primary may complain that the mate is not ready due to non-matching hardware. Never mind that and force failover. Now repeat on the Primary which is newly in Standby state."

the force failover is that cleanly via the gui/cli  or do you mean  pull the power cord out the Live?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card