Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
1
Replies

Upgrade of a ASA5525 active/passive cluster: New release was skipped

swscco001
Level 1
Level 1

‎09-22-2021 12:34 AM - edited ‎09-22-2021 01:14 AM

Hello everybody,

 

I have to upgrade a ASA5525 active/passive cluster from rel. 9.12(4)
to the suggested release 9.14(2)15 and it is not my first upgrade.

 

The boot oder in the config on both nodes is:
boot system disk0:/asa9-14-2-15-smp-k8.bin
boot system disk0:/asa9-12-4-smp-k8.bin
boot system disk0:/asa9-12-3-smp-k8.bin
and all files are stored in te flashed of both nodes.

 

After the command:
# failover reload-standby
on the active primary node the passive standby node
boots the release 9.12(4) again.

 

I checked this on the passive standby node:

mut-asa-cl01# sh run
ASA Version 9.12(4)              <---
...

mut-asa-cl01# sh fa
Failover On
Failover unit Secondary
Failover LAN Interface: FO-LINK GigabitEthernet0/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 466 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.12(4), Mate 9.12(4)                <---
Serial Number: Ours FCH2025J9A2, Mate FCH2025J9B4
Last Failover at: 17:13:20 CEDT Sep 21 2021
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.12(4)) status (Up Sys)                         <---
                  Interface Interface-Outside (62.152.179.93): Normal (Monitored)
                  Interface Outside-GmuendCom (0.0.0.0): Normal (Not-Monitored)
...

I don't know why it skipped the first release in the boot order: 9.14(2)15

 

I stopped the upgrade procedure here.

 

Please find the 'show tech' output attached.

 

What would you do in this situation?

 

Thanks a lot!

 

 


Bye
R.

Preview file
810 KB
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-28-2021 01:24 AM - edited ‎09-28-2021 01:27 AM

As indicated in your show tech output:

Configuration register is 0x1

This is the default value and should cause the ASA to boot the first image specified in your "boot system ..." commands. Refernce:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/clf-crx-commands.html#wp8225270190

To see why it isn't working, you would have to capture the console output during a reload of the problem unit. It could be a corrupted image; but in your case I see the command history shows you have verified the image.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card