Upgrade Active/Passive ASA cluster from 8.6(1) to 9.4(4)

raul.rico · ‎03-30-2017

Hi everybody,

I wanted to ask if it's safe to upgrade an ASA Active/Standby cluster running 8.6(1) image, to the new 9.4(4) version.

Following the upgrade page indications (https://www.cisco.com/c/en/us/td/docs/security/asa/migration/upgrade/upgrade.html#ID-2152-0000000a), I first must install version 9.0(2) and then upgrade to 9.4(4). So the upgrade path will be:

8.6(1) [asa861-2-smp-k8.bin] --> 9.0(2) [asa902-smp-k8.bin] --> 9.4(4) [asa944-2-smp-k8.bin]

Does anyone tried this upgrade path before? This versions are stable enough to guarantee success of the upgrade?

The cluster is in a critical production environment and I must ensure that no bugs will be found during the upgrade process.

Any help on this subject is really appreciated.

Regards.

Marvin Rhoads · ‎03-30-2017

Yes - that direction is failsafe. Just follow the directions exactly and you should see a true zero downtime upgrade.

I haven't used those exact three versions but I have upgraded dozens of HA pairs without incident. When you do an upgrade on an HA pair, you always start with the standby unit and don't switch it to Active until it successfully reloads with the new image. Thus you always have an active unit that is loaded fine and ready to take over.

A few less obvious things to watch for is to make sure that any VPN profiles, AnyConnect images and DAP profiles (if any) are on both units before starting the upgrade. Also make sure that both have the same current ASDM image.

Failover normally sends out a gratuitous arp to the upstream router(s). In the event that they don't recognize that it's good to have access to them or an open ticket with the 3rd party that runs them just in case they need to clear their arp cache manually.

raul.rico · ‎03-30-2017

Hello Marvin. Thank you for your answer.

I'll follow your tips and make sure all VPN profiles and ASDM images are present on both units.