Solved: How to upgrade (adding SSP SFR module) Cisco ASA 5585-x without downtime Active/Standby configuratio...

ugabichipaopao · ‎11-30-2015

Hello everyone!

I am working with upgrade of Cisco ASA 5585-X. I am planning to install (add) SSP-20 SFR module to existing failover pair (two cisco ASA).

My question is how to do this upgrade without downtime or with minimal network outage? Is it possible?

Some instructions or ideas?

Thanks

BR

Max

Akshay Rastogi · ‎11-30-2015

Hi Max,

Module on ASA5585 are not hot swapable. Therefore you need to bring down the chassis before installing the SFR module.

You could use below procedure to have a minimum downtime :

If ASA is running version 9.3.1 or above then first configure:

'no monitor-interface service-module

This would disable Monitoring for Service Module on ASA.

Step1 :Power of the standby ASA. Install the module on it.

Step2 : Power on the ASA. It would come up first as Standby and then move to Failed state.

Step 3: Power of the Active ASA. Now, Standby/Failed ASA would come up as Active and would start passing the traffic.

Step4: Power on the ASA and now it would come up as Standby. As both are on the same Unit Health, It would continue to server as Standby Unit.

Enable the Monitoring back with 'monitor-interface service-module' command if disabled earlier.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

View solution in original post

nspasov · ‎11-30-2015

Hi Max, you can remove the existing module and install the new one without taking the whole chassis offline. However, you need to poweroff the module before performing the hardware swapping. For more information check out hardware installation guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118824-configure-firepower-00.html

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Akshay Rastogi · ‎11-30-2015

Hi Neno,

I believe, this is about if you have a module which is AIP SSM (on 5510, 5520 etc devices ) or CX module. Not for SSP.

Excerpt from the Document you pasted:

"Given an ASA SSM always occupies one of the two slots in the ASA 5585-X chassis, if you have a hardware module other than the FirePOWER (SFR) Services SSP such as the SSP-CX (Context Aware) or AIP-SSM (Advanced Inspection and Prevention Security), the other module must be uninstalled to make space for the SSP-SFR. Before you remove a hardware module, run the following command to shutdown a module"

I have provided the link which shows about modules are not hot swapabble(only power module and SFPs are hot swapabble.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Pascal Martin · ‎09-12-2016

Hi Akshay,

I would like additional information about your explication.

Step 2 : The failed state correspond to NoFailover in the prompt ?

Step 3 : At power off the active ASA , the traffic is broken ? how many time?

Thanks

Best regards

Pascal

Akshay Rastogi · ‎11-30-2015

Hi Max,

Module on ASA5585 are not hot swapable. Therefore you need to bring down the chassis before installing the SFR module.

You could use below procedure to have a minimum downtime :

If ASA is running version 9.3.1 or above then first configure:

'no monitor-interface service-module

This would disable Monitoring for Service Module on ASA.

Step1 :Power of the standby ASA. Install the module on it.

Step2 : Power on the ASA. It would come up first as Standby and then move to Failed state.

Step 3: Power of the Active ASA. Now, Standby/Failed ASA would come up as Active and would start passing the traffic.

Step4: Power on the ASA and now it would come up as Standby. As both are on the same Unit Health, It would continue to server as Standby Unit.

Enable the Monitoring back with 'monitor-interface service-module' command if disabled earlier.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

nspasov · ‎11-30-2015

Akshay, would he still need to power off the whole chassis even after issuing hw-module module 1 shutdown command?

Thank you for rating helpful posts!

Akshay Rastogi · ‎11-30-2015

Hi Neno,

Yes, you need to power-off the chassis. Use the link below for the same :

http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5585guide/5585Xhw/procedures.html#pgfId-1114069

Hope it answer your query.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Daniel Stefani · ‎08-02-2016

Hello Akshay,

I'm in same situation (planning add a new SSP SFR).

Even entering "no monitor-interface service-module" command before, in step 2 Standby will go into Failed State? Why?

There is a cisco documentation about this procedure?

Best Regards,

Daniel Stefani

niko · ‎10-21-2016

Hi Daniel,

How did the upgrade went for you? Was there any unexpected results/issues?

Pascal Martin · ‎09-09-2016

Hi Akshay,

I would like additional information about your explication.

Step 2 : The failed state correspond to NoFailover in the prompt ?

Step 3 : At power off the active ASA , the traffic is broken ? how many time?

Thanks

Best regards

Pascal

How to upgrade (adding SSP SFR module) Cisco ASA 5585-x without downtime Active/Standby configuration