07-25-2016 07:12 AM - edited 03-12-2019 06:05 AM
Can an upgrade from IDS/IPS be performed with no downtime when there are 2 5525X in HA?
From looking at articles I was planning the following action list but as we have no spare equipment cant practise offline.
5525X are active/standby HA
From the common ASDM Service Policy Rules make a note and remove any rule actions that put traffic to the IPS vs0
Standby, unit B
Configure in firesight
LIVE, Unit A
configure in firesight
From the common ASDM Service update the rules to point traffic to the sfr module from the notes made in the first task.
Cheers
Mike
07-26-2016 07:33 PM
Hot insertion of the SSD is not supported under any scenario. It needs to be in place during appliance boot for it to be recognized and then memory and CPUs are dynamically reserved for the software module.
You're best off starting by upgrading base ASA software to the current versions (9.3(1) or later - 9.4(2.11) is the current recommended release unless you need a feature only available in later releases) which allows you to not monitor module status for failover state determination. "no monitor-interface service-module"
If you have an HA pair with legacy IPS module and no SSD, you should remove the current service policy directing traffic to the IPS - correct.
Then power down the standby unit and install the SSD.
When you power it back on, the primary may complain that the mate is not ready due to non-matching hardware. Never mind that and force failover. Now repeat on the Primary which is newly in Standby state.
Install FirePOWER module on both units. Manage them in FMC and update to the latest patch and deploy your policies. Finally create the ASA MPF rules to direct traffic into them.
07-28-2016 03:56 AM
Thankyou for the information Marvin also apriciated with your response, we are on 9.4(2).
I will use your instruction, the "scary" part to me would be Never mind that and force failover
"When you power it back on, the primary may complain that the mate is not ready due to non-matching hardware. Never mind that and force failover. Now repeat on the Primary which is newly in Standby state."
the force failover is that cleanly via the gui/cli or do you mean pull the power cord out the Live?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide