Solved: Upgrading ASA5550 from 8.2(2) to 8.4(2)

Tim Hamblin · ‎09-21-2011

Hi all,

First post so be gentle!!!

I are currently implementing a new patching schedule (when I say new i mean a company first!!!) and I have identified that the firewalls are all running 8.2(2). I would like to bring these up to the latest version but am a little worried about impact!!! I have setup a test firewall with the config from our live asa's and run the upgrade but have received multiple lines like the following:

.....................................................................................................WARNING:

MIGRATION: NAT Exempt command is encountered in config.

Static NATs which overlap with NAT Exempt source are not migrated.

Please check migrated ACLs for accuracy.

*** Output from config line 4167, "access-group outside_acc..."

....and......

NAT migration logs:

The following 'nat' command didn't have a matching 'global' rule on interface 'dmzs' and was not migrated.

nat (newcompany) 1 0.0.0.0 0.0.0.0

Not being able to test the upgraded firewall in a live environment I am worried that the upgrade has left out some critical stuff and won't work properly when migrated. Is there anything I can do to stop these errors (i.e. change the configs before upgrade) or are they informational and everyhting should work fine?? (unlikely I know)

Any Help most appreciated!

Tim

varrao · ‎09-21-2011

Hi Tim,

Can you post me the config fom both the versions, which is config before the upgarde and after the upgarde, i'll compare them and let you know if you are missing anything.

Moreover you can refer this doc for the ASA 8.3 or later upgrade:

https://supportforums.cisco.com/docs/DOC-12690

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎09-21-2011

Hi Tim,

Can you post me the config fom both the versions, which is config before the upgarde and after the upgarde, i'll compare them and let you know if you are missing anything.

Moreover you can refer this doc for the ASA 8.3 or later upgrade:

https://supportforums.cisco.com/docs/DOC-12690

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎09-21-2011

You can refer to the migration guide as well, it woudl be great help:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Thanks,

Varun

Thanks,
Varun Rao

Tim Hamblin · ‎09-21-2011

Thanks Varun,

I will get a copy of the configs, before and after, and send them over.

Looks like your first post has already answered some of my problems:

The folowing errors.....

NAT migration logs:

The following 'nat' command didn't have a matching 'global' rule on interface 'dmzs' and was not migrated.

nat (newcompany) 1 0.0.0.0 0.0.0.0

........are easily removed by issuing "no nat-control" prior to upgrade.

Tim

varrao · ‎09-21-2011

Yup. Do let me know once you have the config, we can compare them and see if any changes needed be done.

-Varun

Thanks,
Varun Rao

Tim Hamblin · ‎09-21-2011

Varun,

I have the configs but, for obvious reasons do not want to post them on here, can I send them to you???

Tim

varrao · ‎09-21-2011

Yes sure, you can send attach the files and send Private message to me.

Varun

Thanks,
Varun Rao

NSG Manager · ‎11-06-2011

Can I upgrade directly to 8.4(2) from 8.2(2)? Or I have to go via 8.3?

varrao · ‎11-06-2011

Hi,

You can very well go from 8.2.2 to 8.4.2, that would not be a problem. Just make sure about the memory requirements and upgrade procedures as mentioned in the links above in the post.

Thanks,

Varun

Thanks,
Varun Rao

ranemilind · ‎01-12-2012

Hi Team,

i am also facing some problem in 8.4.2, i upgraded both primary and secondary ASA from TFTP from 8.3 to 8.4.2.

After this primary is stable but secondary ASA continiously rebooting,

need help on this.

Regards

MR