Re: updating firepower on ASA HA pair

mozmorris1974 · ‎11-19-2018

Hi

We have a pair of ASA in HA, they have source/firepower running on them managed via Firesight management centre FMC.

Am i correct in thinking that within the FMC product update that Cisco Network Sensor Patch is the update for the ASA source/powerfire module?

and

If i choose an update and select the sensor that isn't on the live ASA within the HA pair then click install then it just updates the non live sensor and reboots the non live sensor only? and therefore there is no interruption to service.

Thankyou for your time in looking and hopefully responding.

fatalXerror · ‎11-19-2018

Hi @mozmorris1974,

The ASA with Firepower Services module behavior is like the old ASA with IPS module. Both module are acting active/active but the ASA is acting active/standby and the ASA monitors the Firepower module. If the Firepower module reboots, the ASA will failover since it detects that the module goes down unless you configure the following command,

no monitor-interface service-module

You also need to check the compatibility guide whether your existing ASA is compatible to your planned FP version.

In your case, upgrade/update first your standby FP module then re-deploy the config using your FMC to the new version of FP module. Then do a failover of your ASA and then upgrade/update the other FP module then re-deploy the config again using your FMC.

Thanks

mozmorris1974 · ‎11-20-2018

thankyou for the confirmation it is appreciated :)

i'll perform the work on the standby side then look to fail the ASA HA over, so they should be no downtime

thankyou again