Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
610
Views
0
Helpful
4
Replies

Migrating An ASA5510 from 8.2.5 to upper versions

ValoremTI
Level 1
Level 1

‎01-07-2015 07:21 AM - edited ‎02-21-2020 05:22 AM

Hello,

We need to upgrade the ASA version from 8.2.5 to 8.4.7 but we are not sure if we can do it directly with no major consecuences or problems. Is good to make this jump directly?, the appliance is an ASA5510 (with the enough amount of RAM for new versions).

Thanks in advance for your help.

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-07-2015 12:16 PM

For a single unit (i.e. not in an HA pair) with adequate RAM, you can upgrade directly. Of course the appliance will need to be reloaded and thus have some downtime.

The configuration parser will convert the NAT and access-list changes and you need to pay careful attention to them and any startup_errors log that is generated.

Many people recommend using the opportunity to clean up any unused and incorrect configuration bits while doing this. If makes the config cleaner and helps you better understand your firewall and ensure it is fulfilling its role in your security policy.

0 Helpful

ValoremTI
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2015 12:50 PM

Hi Marvin,

Actually we have a cluster HA (Active/Pasive), we have read that first we have to upgrade the stand-by module reload it, then pass the "active state" to the recenlty updated and finally upgrade the "new stand by" and then once both modules are UP and  upgraded, assign the active role to the original one. (Please correct me if i'm wrong about this part).

The thing is that we afraid that a lot of configurations could be wrong after the upgrade (the access-list, the nats). So we receive some sort of answer about this:

1. First migrate the nat configuration and access-list configuration and keep it ready.

2. Erase all the nat and access-list related configuration of the ASA.

3. Upgrade both modules according to the procedure in CISCO.COM (Posted in this answer).

4. Re-configurate the nats and access-list with the new syntax (it should be ready in the first point)

 

Please let me know if this is a valid procedure and a secure one.

Regards,

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ValoremTI

‎01-09-2015 01:38 PM

Yes, that would work.

The strictly supported method when taking an HA pair from 8.2(x) to 8.4(x) would be to first take them both to 8.3(x) but I've done it several times without making that interim step and it has worked fine.

You will get warning notices while the two units are not in sync on their versions and you should plan to complete that migration during one single session as it is strongly not recommended to leave an HA pair running mismatched versions.

0 Helpful

ValoremTI
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2015 02:32 PM

Thanks for your answer about this, i will perform the migration on next month. I will let you know how it goes everything.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card