Upgrade asa failover pair from 8.2 to 8.4 w/o zero-downtime

javier_streb · ‎06-29-2011

Since the "zero-downtime upgrade" is not supported, I would like to validate the process I put together for upgrading a failover pair of asa5550 with the characteristics below. Specifically I am concerned with the role of the standby during the upgrade. This is my setup:

.- single context mode

.- active/standby

.- current firmware asa821-k8.bin / asdm-621.bin

.- role: firewall and VPN concentrator for segmented server farm network. Dynamic/static/exemption NAT heavily used.

My target is asa842-k8.bin / asdm-645.bin and I am doing a two step upgrade (8.2(1) -> 8.3(1) -> 8.4(2)) to avoid the "unidirectional" attribute and CSCtf89372 bug issues. This is a short version of what I have in mind:

.- Verify stability of failover pair and make adequate backups before beginning.

.- plug into the console of active, ssh into active and standby.

.- vpn/act(config)# no failover ( disable failover from active )

.- vpn/act(config)# asdm image disk0:/asdm-645.bin

.- vpn/act(config)# clear config boot system

.- vpn/act(config)# boot system disk0:/asa831-k8.bin

.- vpn/act(config)# sh bootvar

.- vpn/act(config)# write mem

.- vpn/act(config)# end

THIS NEXT STEP IS WHAT I AM CONCERNED WITH. IS THERE A RISK THE STANDBY CAN BECOME ACTIVE? SHOULD I SHUTDOWN OR CUTOFF THE STANDBY FROM THE NETWORK BEFORE DOING THIS?

.- vpn/act# reload

After reboot, point to 8.4(2) and reload again. Same concern regarding the standby unit.

I understand there might be configuration tweaks needed to the NAT configuration. After second reboot test connectivity and if successful, on active "failover", "write standby" and "failover reload-standby". Otherwise "downgrade" and back to the drawing board.

Jay Johnston · ‎06-29-2011

Javier,

The zero-downtime upgrade should work fine, as users have commented at the end of this document:

https://supportforums.cisco.com/docs/DOC-12690

- You don't want to disable failover. Doing this won't cause the standby to go active immediately, but it could cause problems with the rest of the upgrade

- You don't want to reload the active unit, make it standby first before you reload. That ensures an instant switchover (instead of reloading the active firewall and waiting for the unit holdtime to expire before the failover occurs).

Kooopobol · ‎11-18-2011

The doc (http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/admin_swconfig.html#wp1240251) says :

"You can upgrade from a minor release to the next minor release. You cannot skip a minor release.

For example, you can upgrade from 7.0(1) to 7.1(1). Upgrading from 7.0(1) directly to 7.2(1) is not supported for zero-downtime upgrades; you must first upgrade to 7.1(1). "

Does it mean that we can't update a failover pair from 8.2 to 8.4 with zero-downtime ?

Thanks,

Armand

javier_streb · ‎11-18-2011

Hi Armand,

Short answer, you CAN upgrade from v 8.2 to v 8.4 with out going through v 8.3. following the zero-downtime procedure on a failover pair.

Granted, you will have to carefully review the resulting NAT configuration and probably do some cleanup after the fact.

In our case we had to skip v8.3 due to a timeout in the NAT migration process that would cause the active unit to force a re-synchronization of the recently upgrade standby back to the previous configuration. I migrated from asa821-k8.bin to asa842-9-k8.bin, note this an interim firmware provided by Cisco support for open cases, not a published binary.

The bugs that I ran into are:

CSCti36048 (3 ASA upgrade to 8.3(2) adds unidirectional keyword to manual nat lines)

CSCtj20724 (ASA hitless upgrade from 8.2 to 8.3: upgraded unit reload upon conf sync.)

It is my understanding that little support is being put into v8.3 and fixes done on v8.4 are not necessarily being back ported to v8.3.

I hope this helps.

J.S.

Kooopobol · ‎11-24-2011

Hi,

Cisco procedure (here) concerning the 8.2 to 8.4 upgrade of an active-standby configuration didn’t run successfully.
We had to connect on both of them locally to reload the ASAs and restore the failover status ...

Armand

mehmoodch · ‎08-16-2012

Hi

I have CISCO 5510 firewall running with IOS ASA821-k8.bin.

My company has purchased another ASA5510 with IOS ASA843-k8.bin

We need to run both firewalls in Active/Standby mode.

If I upgrade the IOS of old firewall to ASA843-k8.bin the the running configurations does not work properly

It does not pick the network objects and NAT rules as they are configured with OLD IOS and running.

Or if I restore the configurations of old firewall at New ASA the result is worst. Even firewall with new IOS does not show any Access Rule and NAT rule and does not supprt network objects

Any help to solve this issue that how can I upgrade from 8.2 to 8.4

javier_streb · ‎08-16-2012

Hi Mahmood,

My experience is that the NAT reconfiguration will introduce addicional definitions to the ones you had but will still do a valid conversion of what is in place. You might find more network object definitions, access-list entries and NAT definitions but the configuration should still work. Other than rewriting the NAT, access-lists and object-groups should remain plus new addtions. What error messages does the upgrade give you?

I would expect that loading a pre version 8.3 configuration on a box running v 8.4 to fail, which is what you are experiencing it seems.

J.S.