03-13-2007 06:59 PM - edited 03-09-2019 05:36 PM
I have two asa5520s and they are configured as active/active failover and multi-contents.
Now, I need upgrade their images. But, I find:
1. On the asa5520 which content admin is active, I can go to system by (changeto system) and I can upgrade the asa image and adsm image.
2. On the asa5520 which content admin is standby, I can not go to the system side,
my-asa5520-2/content2#changeto system
Command not valid in current execution space.
Could anyone advice me:
how can I upgrade the image for second box?
is my configuration of failover/multi-contents wrong? If so, how to configure the failover/multicontents to allow me able to go to system space on second box?
Any comments will be appreciated
Thanks in advance
Solved! Go to Solution.
03-15-2007 04:00 PM
Yw ..
There is no shutdown command available on ASA. We would need to walkup to the device and manually power it off.
On step7, "can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?"
This will not work, because when ASA1 comes up, there would be a conflict as both are running on different version. It may cause other issues in the network thus I would not recommend doing so.
Hope that helps.
Regards,
Vibhor.
03-14-2007 10:40 AM
It could be a little confusing, but I'll try to make it simple.
Upgrading firewalls in Active/Active mode:
I would notife the two ASAs as following-
ASA1 (Admin context Active/Ctx1 context Standby)
ASA2 (Admin context Standby/Ctx1 context Active)
Assuming that both ASAs are running on 7.1.2 code.
So .. before starting the upgrade procedure, following is the status of the two ASAs:
ASA1 (Admin context Active/Ctx1 context Standby)
ASA2 (Admin context Standby/Ctx1 context Active)
Step 1) Login to the Admin context on ASA1 and copy the new image to flash.
Step 2) Move to the system execution space of ASA1 from Admin context and set the
image to use the newly copied image. DO NOT RELOAD THE ASA YET. Current state:
ASA1 (Admin context Active/Ctx1 context Standby) --> pointing to new image.
ASA2 (Admin context Standby/Ctx1 context Active)
Step 3) Move back to Admin context on ASA1 and fail this context to ASA2 using
"no failover active" command. Now the current state of ASAs is:
ASA1 (Admin context Standby/Ctx1 context Standby) --> pointing to new image.
ASA2 (Admin context Active/Ctx1 context Active)
Step 4) Shut down ASA1, do not reload, shutdown. Current state:
ASA1 (SHUTDOWN) --> pointing to new image.
ASA2 (Admin context Active/Ctx1 context Active)
Step 5) Login to the Admin context on ASA2 and copy the new image to flash.
Step 6) Move to the system execution space of ASA2 from Admin context and set the
image to use the newly copied image. DO NOT RELOAD THE ASA YET. Current state:
ASA1 (SHUTDOWN) --> pointing to new image.
ASA2 (Admin context Active/Ctx1 context Active) --> pointing to new image.
Step 7) Shutdown the ASA2 and power on ASA1. Current state:
ASA1 (BOOTING) --> pointing to new image.
ASA2 (SHUTDOWN) --> pointing to new image.
Step 8) Once the ASA1 has booted up, it will start using the new image. Current state:
ASA1 (Admin context Active/Ctx1 context Active) --> up with new image.
ASA2 (SHUTDOWN) --> pointing to new image.
Step 9) Now boot ASA2, once up, current state should be:
ASA1 (Admin context Active/Ctx1 context Active) --> up with new image.
ASA2 (Admin context Standby/Ctx1 context Standby) --> up with new image.
Both the ASAs have been upgraded successfully. Now if the Failover groups are configured with
"preempt" command, the failover group 2, will automatically become active on ASA2, if failover
group 2 is not configured with "preempt", we will need to manually failover ctx1 context from
ASA1 to ASA2.
Hope that helps.
Regards,
Vibhor.
03-15-2007 03:20 PM
Vibhor,
Great thanks for the procedure.
When you mean shutdown, it means going to the machine and manually power it off? Is there a shutdown cammnad I can use?
On the step 7, can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?
So, I can support the link connection for backend servers.
Please advice.
03-15-2007 04:00 PM
Yw ..
There is no shutdown command available on ASA. We would need to walkup to the device and manually power it off.
On step7, "can I first power on ASA1 and after ASA1 take control, than shutdown ASA2?"
This will not work, because when ASA1 comes up, there would be a conflict as both are running on different version. It may cause other issues in the network thus I would not recommend doing so.
Hope that helps.
Regards,
Vibhor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide