03-21-2014 07:52 AM - edited 03-10-2019 06:10 AM
Hi,
I have an active/standby ASA with both fitted SSM-10. We are planning to do a software upgrade for the SSM-10. My concern here is the proper steps.
Should we start upgrade with the secondary unit first before we perform the upgrade for the Primary? Please advice.
Regards,
03-24-2014 04:40 AM
Yes, when the standby unit has finished reloading, and is in the Standby Ready state, force the active unit to fail over to the standby. Reload the primary with the new image.
04-02-2014 03:42 PM
It all depends on your Fail Open setting and your security posture.
If your primary ASA is set to Fail Closed, then taking the AIP-SSM off line for an upgrade will cause traffic to fail over to the standby ASA. If you are set for Fail Open then traffic will continue to pass thru your primary ASA without IPS inspection untill the AIP-SSM comes back.
Your security posture will dictate how important IPS inspection/dropping is to your organization. Is mainting IPS inspection more important than failing over to the standby rail?
- Bob
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: