12-26-2013 12:45 PM - edited 03-11-2019 08:22 PM
I have many ASA 5510 & 5520 that need updating and I have been trying to find a way to automate the process. Several of the devices are running in Active/Active mode(Primary is active and the Secondary is in Standby mode).
I have been looking through the ADSM features and I have found the auto update feature. This looks like a good way to go as it downloads the software to the primary and then transfers it to the secondary device. Then it performs the update 1 device at a time starting with the secondary device. But it says I need an update server to hold the new software and I am not sure how to set one up. I have a machine that has FileZilla server installed, but that uses FTP and the settings in auto update are looking for an HTTPS address.
The other option I havea available is Cisco Prime Infrastructure 2.0. I can use this to manage software but there isn't anything about how to use it with an ASA setup as a HA pair.
I could use any help you may have.
Solved! Go to Solution.
12-27-2013 11:15 AM
Cisco Security Manager is most typically used as an update server for large ASA deployments.
PI 2.0 is a bit rough around the edges on its ASA support and I would judge it not quite ready for that task. (That's even with the December 2013 update package that enhanced ASA support.)
Depending on your version levels, most people aren't comfortable with auto updating firewalls. Things changed significantly with post-8.2 and all of the migrations I have ever done of that (several dozen) involved manual verification of the new syntax and operations.
12-27-2013 11:15 AM
Cisco Security Manager is most typically used as an update server for large ASA deployments.
PI 2.0 is a bit rough around the edges on its ASA support and I would judge it not quite ready for that task. (That's even with the December 2013 update package that enhanced ASA support.)
Depending on your version levels, most people aren't comfortable with auto updating firewalls. Things changed significantly with post-8.2 and all of the migrations I have ever done of that (several dozen) involved manual verification of the new syntax and operations.
12-30-2013 08:42 AM
I was afraid it would take something different from Cisco to do what I wanted. I was just hoping I could find away not to have to due updates on the weekend.
I only have 1 ASA that hasn't already been updated past 8.2 and that 1 unit doesn't have any NAT statements on it. Hopefully that update won't go to badly. It is over in Asia so maybe I can get permission to update this 1 during my Friday work day.
If would be really nice if Cisco would add an update feature like the Nexus switches have for telling you about potential problems you might encounter prior to starting an update.
Thanksfor the help.
12-30-2013 02:59 PM
You're welcome.
The Cisco elves are working on an offline ASA migration tool that can be shared publicly. Many customers and partners have asked for it and we hope to see it during 1H CY 2014.
Right now you only get a log file on the ASA that the parser generates when loading and converting the syntax. If you have the luxury of a lab ASA matching your production ASA you can load your production configuration on there to generate the log file.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide