Solved

upgrade the ASAs running failover

Posted on 2011-02-17
13
341 Views
Last Modified: 2012-06-27
hi experts
i have 2 ASA which they are running failover, everything is fine.
currently i want upgrade the software of them, i already copy new "BIN" file to both, so what is the next we should do?
i mean can i reboot it one by one without service down ? and what the detail steps?

thanks
0
Comment
Question by:beardog1113
  • 7
  • 5
13 Comments
 
LVL 16

Expert Comment

by:btassure
Comment Utility
From Cisco:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1053398

tl;dr upgrade the fialover, fail it over, upgrade primary and fail it back.
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
Take a look at this EE thread: http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_25008732.html

Pretty much the same question solved there

Good Luck
0
 

Author Comment

by:beardog1113
Comment Utility
hi btassure
whats your mena tl and dr you mentioned ?

thanks
0
 

Author Comment

by:beardog1113
Comment Utility
hi bgoering
does there is a way not causing down time for the upgrade?

thanks
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
I would think that would depend on the type of upgrade. If you or going across major version like 7.x to 8.x I would probably allow for a short down time. Minor versions like 8.1 to 8.2 you should be able to just upgrade a node, fail to the new node, upgrade the remaining node and fail back if desired.

When in doubt look at the release notes - they typically will tell you. What version are you going to? What is the old version?
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
I would probably make an exception to my "rule of thumb" above. 8.x to 8.3 requires a significant migration of the configuration. I would try to get some downtime for that also just in case.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Expert Comment

by:bgoering
Comment Utility
that link that btassure posted above covers the rules pretty well as well as the procedure (I was just working from memory).
0
 

Author Comment

by:beardog1113
Comment Utility
i want upgrade from 8.2(1) to 8.2(2)4, seem it like as your said minor version.

right ?
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
Yes that should be a trivial upgrade. The number in parenthisis is a maintenance release... you appear to be statying with in the same major "8" and minor "2" and just upgrade maintenance level from (1) to (4).

 In your case it would be a simple as

1. Upgrade the secondary
2. Fail primary over to secondary
3. Upgrade the primary
4. Fail back if desired
0
 

Author Comment

by:beardog1113
Comment Utility
hi bgoering
first sorry for late response
does your steps more detail as below ?
1. upgrade the secondary
2. restart secondary
3. fail primary over to secondary( could you let me know what the command is ?)
4. upgrade the primary
5.restart primary
6. fail back

and that will not causing service down, right ?

thanks
0
 
LVL 28

Accepted Solution

by:
bgoering earned 250 total points
Comment Utility
Yes, that would be the steps. for (3) log onto the secondary and issue command

fail active

that will make it active, same thing for step (60 except you log on to primary.

Try "fail ?" for more options
0
 
LVL 28

Expert Comment

by:bgoering
Comment Utility
Assuming you have set up a link between them for state information then there will be absolutly no downtime. If you haven't set up that link then connections in flight will be reset - often this is handled transparently by the application with a retry or retransmit, but some applications may be affected.
0
 

Author Closing Comment

by:beardog1113
Comment Utility
perfect
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now