Solved: upgrade asa firepower module

georgezptl · ‎09-13-2018

If you upgrade the firepower service module while not redirecting traffic to it with the service policy, when it restarts will you get dropped packets?

Ajay Saini · ‎09-13-2018

Well, if you are not sending any traffic to firepower module from the ASA, then no impact will be there on traffic due to any activity on firepower module including a reboot on the module. So, in short no dropped packets if no traffic is redirected.

Infact this is a recommended action to either have 'fail-open' action set in policy created for Firepower on ASA or remove the redirect policy while doing any maintenance on the Firepower.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html

HTH
AJ

View solution in original post

Ajay Saini · ‎09-13-2018

Well, if you are not sending any traffic to firepower module from the ASA, then no impact will be there on traffic due to any activity on firepower module including a reboot on the module. So, in short no dropped packets if no traffic is redirected.

Infact this is a recommended action to either have 'fail-open' action set in policy created for Firepower on ASA or remove the redirect policy while doing any maintenance on the Firepower.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html

HTH
AJ