Is it possible to upgrade

albertofdez · ‎04-27-2017

Hi,

I want to upgrade the IPS module in ASA5585 and have a few questions.

The SSP-IPS10 is running 7.1 (1) E4 and I want to upgrade to version 7.3 (5) E4 in order to install the update of the latest signatures S978.

The ASA5585 are in Active / Standby mode and I want to know if it is possible to update the IPS module without loss of service.

If I update the IPS of the ASA5585 that is like Standby, does the HA detect that I have a different version of IPS and will have problems?

Best regards.

Marvin Rhoads · ‎04-27-2017

You can do it as a zero downtime event similar to how you do an ASA upgrade. In a production environment a change window is still recommended so that there is a documented procedure and awareness of the activity.

When you first upgrade, do it on the Secondary-Standby unit's IPS. The Active unit will detect the service module on the Standby unit is down while the reload occurs but that only serves to mark the Standby as "not ready".

Once the upgrade completes successfully then make the Standby unit Active ("no failover active" command on the Active unit). Then upgrade the newly Standby unit as well.

Finally, switch the Priamry-Standby unit back to Active role.

albertofdez · ‎04-27-2017

Hi Marvin,

Thanks for the information and for the quick response.

Best regards.

Marvin Rhoads · ‎04-27-2017

You're welcome.

Please mark your question as answered if it has been.

albertofdez · ‎04-27-2017

Is it possible to upgrade directly from version 7.1 (1) E4 to 7.3 (5) E4 or do you have to go through some intermediate version?

Marvin Rhoads · ‎04-27-2017

It's a straight upgrade. The release notes detail the procedure:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-3/release/notes/release7-3-5.html#pgfId-1406026

Upgrade ASA5585-SSP-IPS10 in HA A/S