ā08-20-2012 02:26 AM - edited ā03-11-2019 04:43 PM
Hallo
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :
Does it works any experience ?
Does it work if both firewall can see each other during the boot process ?
or
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
Thanks for help
Solved! Go to Solution.
ā08-20-2012 03:41 AM
You can upgrade your cluster while both units are online. But you need do it with several steps as an upgrade from 7.2 to 8.2 is not directly supported. The process is described unter "Performing Zero Downtime Upgrades for Failover Pairs":
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
ā08-20-2012 03:41 AM
You can upgrade your cluster while both units are online. But you need do it with several steps as an upgrade from 7.2 to 8.2 is not directly supported. The process is described unter "Performing Zero Downtime Upgrades for Failover Pairs":
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
ā08-28-2012 12:42 AM
Hi
Already mentioned from Karsten , but I want to confirm it . here the way what we did and what was working :
You can jump straight from 7.2.5 to 8.2.5 with zero downtime.
However I would suggest you to perform the upgrade in a scheduled time window as the nodes will temporarily run different software versions during the upgrade process.
If you follow these steps you should be able to successfully carry out the upgrade with zero downtime:
1.Copy via tftp the image to the primary ASA and set the new image to be used
(for example: boot system disk0: /asa825-k8.bin)
2. Copy via tftp the image to the secondary ASA and set the new image to be used
3.On the active firewall run: failover reload-standby
When the standby unit has finished reloading, and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the following command on the active unit. Use the show failover command to verify that the standby unit is in the Standby Ready state.
4. Check the status of the secondary unit by āshow failoverā, when it will be in āStandby Readyā state, run āno failover activeā on the primary ASA to force a failover to the secondary firewall, which now will become active with the new software version.
5. Reload the primary firewall.
Reload the former active unit (now the new standby unit) by entering the following command:
6. When the primary is in the āStandby Readyā state, issue the command āno failover activeā on the secondary unit to put the primary unit back to the active state.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide