Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
9
Replies

Upgrading Memory on Active and standby ASA

Go to solution
mahesh18
Level 6
Level 6

‎04-11-2013 09:17 AM - edited ‎03-11-2019 06:26 PM

Hi Everyone,

Need to upgrade the memory on ASA.

They are in pairs active and standby.

When i console in two standby one  it always show the same hostname of active one.

Need to know what is best practice to upgrade them memory on ASA  when they are in pairs?

Thanks

MAhesh

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-11-2013 09:51 AM

Hi,

The hostname will always be the same as they share the configuration.

I think you are able to see which one is active by issuing this command

prompt hostname state

This should do so that you see your firewall name in the command prompt normally BUT you will also see in which state the device is in failover added to the device name. So the command prompt should be different depending on the state of the device where you logged in.

With regards to the RAM upgrade

Generally when doing a hardware upgrade for a customer I have a planned downtime/maintenance window where I would do the upgrades. This just to make sure that any possible outage in the network would be known beforehand and the network use would be minimal.

Cisco documents states that the hardware and software of the Failover devices needs to be indentical. To my understanding this doesnt prevent from them being different atleast briefly during the upgrade procedure. I have only done Zero Downtime upgrades with regards to the software, not the hardware.

So I guess you have 2 options

1.) If a downtime for network connections is possible.

  • Save and backup the configurations of the ASAs
  • Turn the power off and disconnect the cables
  • Upgrade the memory on both units
  • Reconnect the ASAs to the network and power them on.

The above would naturally mean a complete outage/downtime for any connection needing to use the ASAs

2.) If you want to do the upgrade one device at a time

  • Save and backup the configurations of the ASAs
  • Turn the power off on the Standby ASA and disconnect cables
  • Upgrade the memory on the Stanby unit
  • Reconnect the ASA to the network and power it own
  • Confirm that the Standby ASA has rebooted and that the device you upgraded is in Standby Ready State
  • Make the upgraded unit the the Active unit with command "failover active"
  • When the upgraded unit has switched to Active, do the same upgrade procedures to the unit that is NOW the Standby unit

As I said I have not had to upgrade hardware of ASA Active/Passive Failover pair. (In all the situations the whole firewall model has usually changed) So I am not sure how the ASA will react to the other ASA when the RAM has been changed to something thats not identical to the other one. In the case of Software it only generates warning messages but doesnt cause any problems during the upgrade. From what I understand the situation is the same with RAM upgrade. The failover will function BUT the other unit should be upgraded to the same hardware as soon as possible for stability.

To sum it up.

  • If I would blindly follow the Cisco documentation I would power down both units and perform the RAM upgrade EVEN though this would mean downtime for the network
  • If I wanted to keep downtime to minimum or to zero, I would upgrade the units one by one by switching the devices between the Active / Standby roles.

Here is the section of the ASA Configuration Guide that states the Failover requirements

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1077521

Here s alink to a hardware installation guide

http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/guide/procs.html#wp1076043

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎04-11-2013 09:55 AM

Actually,

I found in an 8.2 software document this text

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

Link to document:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536

This would lead me to believe as long as your software is atleast 8.2, you should be able to do a Zero Downtime Memory Upgrade also.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-11-2013 11:58 AM

Hi,

I think that will cause more downtime compared to what I suggested above.

There is really no need to power down the ASA that is Active.

You can start by powering down the Standby ASA and do the RAM upgrade for it first. Because you are powering down the Standby ASA there will be no effect to the network operation at that time. You can simply upgrade the RAM and connect the ASA back to the network and let it boot back up as the Standby device.

When its booted and you have confirmed that its in Standby Ready state then you can issue the command "failover active" on the upgraded unit so it will become the Active unit. After this you would again be free to power down the NEW Standby ASA and upgrade its RAM while the already upgraded ASA is handling the network traffic.

After you have upgraded the other ASA too and connected it to the network and let boot up to the Standby Ready state then you can either leave the setup like that or change the original Active unit (the one just upgraded) back to Active with the command "failover active"

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-11-2013 12:16 PM

No problem,

Hopefully the upgrade goes well.

Remember to take backups of the configurations just incase

- Jouni

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-11-2013 09:51 AM

Hi,

The hostname will always be the same as they share the configuration.

I think you are able to see which one is active by issuing this command

prompt hostname state

This should do so that you see your firewall name in the command prompt normally BUT you will also see in which state the device is in failover added to the device name. So the command prompt should be different depending on the state of the device where you logged in.

With regards to the RAM upgrade

Generally when doing a hardware upgrade for a customer I have a planned downtime/maintenance window where I would do the upgrades. This just to make sure that any possible outage in the network would be known beforehand and the network use would be minimal.

Cisco documents states that the hardware and software of the Failover devices needs to be indentical. To my understanding this doesnt prevent from them being different atleast briefly during the upgrade procedure. I have only done Zero Downtime upgrades with regards to the software, not the hardware.

So I guess you have 2 options

1.) If a downtime for network connections is possible.

  • Save and backup the configurations of the ASAs
  • Turn the power off and disconnect the cables
  • Upgrade the memory on both units
  • Reconnect the ASAs to the network and power them on.

The above would naturally mean a complete outage/downtime for any connection needing to use the ASAs

2.) If you want to do the upgrade one device at a time

  • Save and backup the configurations of the ASAs
  • Turn the power off on the Standby ASA and disconnect cables
  • Upgrade the memory on the Stanby unit
  • Reconnect the ASA to the network and power it own
  • Confirm that the Standby ASA has rebooted and that the device you upgraded is in Standby Ready State
  • Make the upgraded unit the the Active unit with command "failover active"
  • When the upgraded unit has switched to Active, do the same upgrade procedures to the unit that is NOW the Standby unit

As I said I have not had to upgrade hardware of ASA Active/Passive Failover pair. (In all the situations the whole firewall model has usually changed) So I am not sure how the ASA will react to the other ASA when the RAM has been changed to something thats not identical to the other one. In the case of Software it only generates warning messages but doesnt cause any problems during the upgrade. From what I understand the situation is the same with RAM upgrade. The failover will function BUT the other unit should be upgraded to the same hardware as soon as possible for stability.

To sum it up.

  • If I would blindly follow the Cisco documentation I would power down both units and perform the RAM upgrade EVEN though this would mean downtime for the network
  • If I wanted to keep downtime to minimum or to zero, I would upgrade the units one by one by switching the devices between the Active / Standby roles.

Here is the section of the ASA Configuration Guide that states the Failover requirements

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1077521

Here s alink to a hardware installation guide

http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/guide/procs.html#wp1076043

Hope this helps

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎04-11-2013 09:55 AM

Actually,

I found in an 8.2 software document this text

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

Link to document:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536

This would lead me to believe as long as your software is atleast 8.2, you should be able to do a Zero Downtime Memory Upgrade also.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-11-2013 11:39 AM

Hi Jouni,

I am upgrading this on our Maintenance window.

To have least impact i will do 1 by one

Say if we have ASA  2  has active and 1 is standby

Here is action plan

First i will power down active ASA  2   so that failover can take over and standby 1 can become active.

before putting ASA  2  back in network i will power down ASA  1.

Then i will power up ASA  2 .

Then i will install memory on ASA  1 and put it back to network.

Finally ASA  2 should take its role as active.

I hope this will have minimum impact.

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-11-2013 11:58 AM

Hi,

I think that will cause more downtime compared to what I suggested above.

There is really no need to power down the ASA that is Active.

You can start by powering down the Standby ASA and do the RAM upgrade for it first. Because you are powering down the Standby ASA there will be no effect to the network operation at that time. You can simply upgrade the RAM and connect the ASA back to the network and let it boot back up as the Standby device.

When its booted and you have confirmed that its in Standby Ready state then you can issue the command "failover active" on the upgraded unit so it will become the Active unit. After this you would again be free to power down the NEW Standby ASA and upgrade its RAM while the already upgraded ASA is handling the network traffic.

After you have upgraded the other ASA too and connected it to the network and let boot up to the Standby Ready state then you can either leave the setup like that or change the original Active unit (the one just upgraded) back to Active with the command "failover active"

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-11-2013 12:12 PM


Hi Jouni,

Many thanks for talking  your time and answering my questions

I will follow above steps mentioned by you.

Also that cisco article is good about ASA.

Hope weekend change will be ok.

Best regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-11-2013 12:16 PM

No problem,

Hopefully the upgrade goes well.

Remember to take backups of the configurations just incase

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-11-2013 12:30 PM

Hi Jouni,

will do

Mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to mahesh18

‎04-15-2013 10:01 AM

Hi Joni,

Memory upgrade of ASA  worked fine no issues.

Regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-15-2013 10:03 AM

Hi Mahesh

Glad to hear it went well

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card