Upgrade Procedure for Cisco ASA 5515 running Failover


Have a Cisco ASA 5515 in a failover setup. Want to upgrade image  to 9.9(1) from 9.7(1) and asdm to 7.9(1) from 7.7(1) without down time. Looking for upgrade procedure. Any help is great! Thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
Here it is in a nutshell.

Let's start with ASDM

Upload the new ASDM to both ASA's flash.

Login to primary ASA and configure it to use the new ASDM.

Save config done.   - New ASDM is now ready.

Upgrade code - make sure that one is Active and one unit is in standby before starting.

Upload the asa code image to the flash on both units.

Then configure the boot command on the primary unit to specify first to boot the new image and then as a precaution I always set a second boot statement to boot the old image  - in case of corrupt upload.

The order of the boot commands is in important.  If you already have a boot system command in the config, remove it then add them back in the correct order - 1st boot statement is new image, 2nd boot statement is old image.

Save the config.

Now with the image on both, and the config pointing to boot off the new image, reload the standby unit.

Standby will reload the new image.

You will see messages stating that standby unit is not on the same code as active unit.

Wait until you see on the active unit that the standby unit is in standby ready state.

At this point login in to the standby unit and enter the command "failover active"
This will make the standby unit active.

Now you will need to login to the unit that is now in standby (which was active just a moment ago) and reload it.

After the reload, it to will come up on the new code.  At this point, this unit will come up as standby.

If you want to restore this unit to its original state as active you can simply issue the command failover active on this unit to force him to become the active unit once again.

That is pretty much it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kittu05Author Commented:

Thanks for the detailed procedure.
From the above procedure my understanding is that - Copy the new  ASA image and ASDM images to both primary (active) and secondary (standby) firewall's flash. Then  I issue boot commands on the primary (active) to load new images and save the configuration. Then I reload the secondary (standby) which should update the software on secondary (standby) firewall. Is it true that the secondary(standby) firewall reads the configuration changes from the primary(active)? Appreciate your help.

Ken BooneNetwork ConsultantCommented:
Yes in an active/standby configuration when you issues commands on the active unit and save them, those configuration changes are committed to the standby unit as well.
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

kittu05Author Commented:
Thanks you very much for the help. Cisco compatibility upgrade path from 9.7(1) to 9.9(1) is approved on ASA 5515.  I am assuming that it should not have any communication issues between secondary(standby) and primary(active) when I reboot the standby as they have different image on them.
Ken BooneNetwork ConsultantCommented:
You are correct - although you will get a warning message stating that the mate is not on the same image.
kittu05Author Commented:
Thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.