Thank you for the quick response. I was unaware of 8.2(5).

Zero downtime is the goal here. So the upgrade path will go like this: 7.2(4)-->8.0(2)-->8.2(5) and that will work?

For zero downtime, when I upgrade the standby fw to 8.0(2), after reloading it can i just go right on to upgrading it to 8.2(5) or do I need to then upgrade the active fw to 8.0(2)?

Hello Benjamin,

For a zero downtime:

7.2(4) to 7.2(5)

7.2(5) to 8.0(2)

8.0(2) to 8.0(5)

8.0(5) to 8.2(2)

8.2(2) to 8.2(5)

I know it's a lot of work but that is what needs to be done according to Cisco

"A good rating is as good or even better than a thank you, remember to rate the helpful posts "

Hi Julio,

in my understanding you don't need the mainenance-releases when upgrading. And for me the zero-downtime worked with tze upgrades from 7.2 -> 8.0 -> 8.2 where I always used the latest available versions for 8.0 and 8.2.

BTW: The upgrades run so smooth that I typically upgrade ASA failover systems through my remote VPN-connection.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hello Karsten,

Please check the following information taken from Cisco.

Performing Zero Downtime Upgrades for Failover Pairs

The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading both units to the same version as soon as possible.

Table 43-1 shows the supported scenarios for performing zero-downtime upgrades on a failover pair.

This will answer your question

Regards,

Remember to rate all the helpful posts

Please check the following information taken from Cisco

Yes, I know that one. But I don't read there that I have to upgrade through the maintenance-versions as in your example.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hello Karsten,

I see what you mean , I have done it directly sometimes but what happens if the customer has a problem?

They would ask us: why did not follow the processure as Cisco said.

So right now here is what we have:

Mine

7.2(4) to 7.2(5)

7.2(5) to 8.0(2)

8.0(2) to 8.0(5)

8.0(5) to 8.2(2)

8.2(2) to 8.2(5)

Yours

7.2 -> 8.0 -> 8.2

Both could work but as per cisco recommendation mine is the one you should use because we need to be on the last minor release in order to go to the next major release

What is the last minor release before  8.0(2) ?

It's 7.2.5, that is why we need to go there

Same thing happens from 8.2(2) and so on and on and on....

Regards,

Julio

But the last minor release to go to 8.0 is 7.2, regardless of the maintenance-version.

And when 8.0(2) was released, there was only the 7.2.2 available, so no way to go to 7.2.5 before going to 8.0(2).

Do you see what I mean?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks, I can see what both of you are saying. Can i completely upgrade the standby firewall and then completely upgrade the active firewall?

For example, run this upgrade path on the standby:

7.2(4) to 7.2(5)

7.2(5) to 8.0(2)

8.0(2) to 8.0(5)

8.0(5) to 8.2(2)

8.2(2) to 8.2(5)

And then switch standby to active and then run all those upgrades on the former active fw. Or would I have to run 1 upgrade at a time on each fw? Thanks!

no, the versions Julio and I are talking about are the differences on both units.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hello All,

Kirsten I see what you mean and got to admit it  

Now Ben let's follow Kirsten Path:

7.2 -> 8.0 -> 8.2

But you will run it on both devices as if the versions do not match to keep the zero-dowtime failover then they will not be able to keep the failover up and running.

So no way to do the whole upgrade process on one of them first and then on the other one.

Regards,

Julio