Re: Zero-downtime DRAM upgrade of failover pair of 5510 ASA's

dtochilovsky · ‎04-13-2011

Hi all, I need to upgrade the active/standby failover pair of 5510 ASA's to have1 Gig DRAM each, and I am trying to plan out the upgrade process. I'm looking for a zero downtime upgrade process and I am hoping to get some answers to my questions from the community.

I know that the failover pair has to have the same amount of memory, so how do I perform a zero-downtime upgrade process?
Can I power off the standby unit and upgrade it's memory first? Or will it cause a memory mismatch between the active and standby units when it is powered on?

Thank you.

Dmitry.

JORGE RODRIGUEZ · ‎04-13-2011

Hi Dmitry,

It is entirely true that the same RAM is required in failover pairs architecture etc.. but it is not the case failover will stop working if RAM is disimilar.

You can still conduct zero downtime RAM upgrade while still continue firewall traffic I have upgraded a number of ASA5510s RAM with zero downtime but have plan for downtime to be on the safe side, depending on your network environment such as numbers of VPN tunnels and amount of connections etc.. I would personally plan for downtime to conduct such upgrades.

I would like to share the process I have used to upgrade RAMs on ASA5510s with zerodowntime.

1- Lable all firewall network cable connections with proper names and connection points – label state full CAT5 connection
2- Backup ASA firewall configuration both clear text and tftp
3- Power off Standby firewall ( Primary firewall will continue normal traffic )
4- Remove Standby chassis cover
5- Remove 512 MB module
6- Install 1GB RAM
7- Close firewall Chassis
8- Reconnect CAT5 cables to designated switch ports (inside)(DMZ) (outside) etc..
9- Power on
10- Check failover states – wait for synched config on Primary firewall
11- Issue on Primary firewall ( no failover active ) Standby will take Active Role
12- Power off Standby firewall (What used to be Active firewall)
13- Lable all firewall network cable connections with proper names and connection points – label state full CAT5 connection
14- Remove chassis cover
15- Remove 512 MB module
16- Install 1GB RAM
17- Close firewall Chassis
18- Reconnect CAT5 cables to designated switch ports (inside)(DMZ) (outside) etc..
19- Power on firewall
20- Check failover state - wait to synch configuration
21- Issued on Standby firewall-Active (What used to be Standby ) no failover active -
Now ASA Standby firewall-active will go back to Standby and ( Active firewall will resume its role )

Here is additional link for ASA5500 harware installation details in case you do not have it.

http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/guide/procs.html#wp1031285

Regards

Jorge Rodriguez

dtochilovsky · ‎04-14-2011

Thank you Jorge, it helps to know that it is possible to do the upgrade with zero-downtime. But I will plan for downtime just in case.

Dmitry.

Mady · ‎02-22-2016

Hi Jorge,

I will do the same activity on our client. As you have posted, is it possible to have zero-downtime on upgrading the memory. Can you site me some references about failover-that this will work though they have dissimilar RAM. I will just forward the reference to our client. Thank you.

Regards,

Mady

Marvin Rhoads · ‎02-22-2016

Mady,

Not sure if Jorge is still monitoring this thread - his posting is 5 years old.

The process he described is based on experience and is not how it's described in the documentation.

The docs only say that to establish an HA pair in the first place they have to have identical RAM.

They're silent on the issue of adding RAM during or in preparation for an upgrade of an HA pair.

Mady · ‎02-22-2016

Hi Marvin,

Thank you for your reply. If that would be the case, I would just stick on Cisco documentation. :)