Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1427
Views
0
Helpful
8
Replies

upgrade firewall software in failover pair

Go to solution
Kashish_Patel
Level 2
Level 2

‎07-20-2012 01:14 AM - edited ‎03-11-2019 04:33 PM

I need to upgrade two firewalls (in failover pair) remotely. Could somene tell me what is the way to go forward? Do I need to worry about licenses and stuff?

Thanks,

Kashish

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎07-20-2012 05:37 AM

Since you are running dynamic routing protocols, the routing instand is only active on the primary active firewall, not both. That's the reason why you can't access the tftp server on the standby unit.

What you can do is upload the image to the primary active ASA, then failover the firewall to the secondary standby ASA. Once the secondary ASA becomes the Active ASA, then you can upload the image to this ASA.

Since you can only access the active unit, once you have configured the boot system with the new image, and save the config, then you can reload the ASA one at the time.

Reload the secondary after you have uploaded the image, this will cause failover to the primary. Monitor the status of secondary by issueing "show failover", and once the secondary is up, and the software has been upgraded, then you can reload the primary active unit.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-20-2012 01:26 AM

Here is the configuration guide to upgrade firewall in failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398

If you are just performing the upgrade on the existing failover pair, then nothing to worry about licensing.

What version are you currently running and what you are going to upgrade it to? With ASA version 8.2 and above, there is requirement for more memory if you don't already have them. And with ASA version 8.3 and above, there are lots of changes to the configuration, ie: ACL, NAT

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jennifer Halim

‎07-20-2012 01:35 AM

Jennifer,

first step in the guide says : "

Download the new software to both units, and specify the new image to load with the

boot system

command"

I cannot ssh to the secondary firewall unit. Will I be able to download image to it if it is in secondary state?

I am upgrading from 8.2(2)16 to 8.4(4)1.

Thanks,

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎07-20-2012 01:39 AM

You can download the image when it is in secondary/standby state. You would need network connectivity to the secondary firewall however, whether it is SSH, telnet or ASDM to download the image.

And i am assuming that you are aware of the new changes to configuration on version 8.4.4, right?

here is the release notes for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jennifer Halim

‎07-20-2012 02:29 AM

Yes I am aware of changes that 8.4.4 will bring.

Problem is I cannot ping tftp server from secondary unit.

fw1# sh failover

Failover On

Failover unit Secondary

fw1# ping 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1

, timeout is 2 seconds:

No route to host 10.10.10.1

Success rate is 0 percent (0/1)

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎07-20-2012 02:56 AM

Can you please share your configuration.

Show failover

show run interface

show route

on both ASA. Thanks.

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jennifer Halim

‎07-20-2012 03:44 AM

Jennifer,

I just sent you the outputs in a private message.

Thanks.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎07-20-2012 05:37 AM

Since you are running dynamic routing protocols, the routing instand is only active on the primary active firewall, not both. That's the reason why you can't access the tftp server on the standby unit.

What you can do is upload the image to the primary active ASA, then failover the firewall to the secondary standby ASA. Once the secondary ASA becomes the Active ASA, then you can upload the image to this ASA.

Since you can only access the active unit, once you have configured the boot system with the new image, and save the config, then you can reload the ASA one at the time.

Reload the secondary after you have uploaded the image, this will cause failover to the primary. Monitor the status of secondary by issueing "show failover", and once the secondary is up, and the software has been upgraded, then you can reload the primary active unit.

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jennifer Halim

‎07-23-2012 10:41 AM

Thanks Jennifer. I was able to upgrade ASAs successfully.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card