«

»

Jun 04

ASA 8.4 Upgrade Path – 8.2 to ASA 8.4 with Zero Downtime

This post details the process that I followed for ASA 8.4 Upgrade  Path – 8.2(0) to ASA 8.4(4) with Zero Downtime. The units are in Active-Failover configuration. The process was done in stages, first was to upgrade the memory module second was to upgrade the software on the device. This process worked for me and there was no downtime experienced during this upgrade so I can say its tested and works as stated, at least for me.

However, because the NAT statements are going to change with the new Version and also the ACLs, names etc so make sure you fully understand what impact it will have on your network if some of the NAT statements are not migrated across.

I have attempted to write some of the stuff related to NAT in the post below which can be helpful.

http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

 

Upgrade Path

ASA 8.2 (1 ) ———>ASA 8.3(2)———->ASA8.4 (4)

ASDM 6.2(5)53———————————>6.4(9)

 

Upgrade Steps

1. Download following images from Cisco Website

ASA 8.3(2)

ASA 8.4(9)

ASDM 6.2(5)53

2. Upload Images to both Primary and Secondary Unit using TFTP

3. Check the failover status and make sure the Primary unit is active, turn off the Seconday/backup unit and install the memory module. Turn the unit back on. Login to secondary unit and see if it boots up correctly.

4. Check the failover status and confirm that Primary Unit can see its mate and monitoring status on ports is normal as shown below. (Use ‘sh failover’ command to get this status)

 

This host: Primary – Active
Active time: 51803729 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface outside (XXX.XXX.XXX.XXX): Normal (Monitored)
Interface inside (XXX.XXX.XXX.XXX): Normal (Monitored)
Interface dmz (XXX.XXX.XXX.XXX): Normal (Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface outside (XXX.XXX.XXX.XXX): Normal (Monitored)
Interface inside (XXX.XXX.XXX.XXX): Normal (Monitored)
Interface dmz (XXX.XXX.XXX.XXX): Normal (Monitored)
slot 1: empty

 

After confirming status use command ‘no failover active’ such that Secondary unit becomes active. Shutdown the Primary unit and upgrade memory. Power up the device and confirm that its boots up OK. 

5. Confirm that the Secondary unit can see the Primary unit and that monitoring on all interfaces is normal.

6. Make Primary Unit Active by using ‘no failover active’ command on Secondary Unit.

7. Now, we have both unit with same memory size. Its time to upgrade the software. Use the ‘show flash’ command to make sure images uploaded via TFTP are there. Check for the 'boot system’ command if it already part of running config.

 

ASA# sh run | i boot
boot system disk0:/asa821-k8.bin

 

Use following commands to make the unit use ASA 8.3(2) at boot up.

ASA(Config)#no boot system disk0:/asa821-k8.bin
ASA(Config)#boot system flash:asa832-k8.bin
ASA(Config)#boot system flash:asa821-k8.bin

 

If you use the command ‘sh run | i boot’ now it will show all the boot commands in order

ASA# sh run | i boot
boot system disk0:/asa832-k8.bin
boot system disk0:/asa821-k8.bin

 

8. Use following to make devices use latest ASDM

ASA(config)#(config)# asdm image flash:asdm-649.bin

 

9. Use the ‘wr mem’ command to write the running config to startup config. The configuration are automatically replicated to Secondary Unit.

10. Use the ‘ failover reload-standby’ command to reload the Secondary unit.

ASA# failover reload-standby

 

11. Wait for the Secondary unit to come back online and you will see on the primary unit stating that configuration is being replicated to Secondary Unit. It will also complain that version on both units are not same. That's normal, don't worry about it. Check the monitoring status and ports and once all is back to Normal, use the ‘no failover active’ on Primary unit such that it no longer remains active.

12. Connect to the Secondary Unit which is now active, and use ‘failover reload-standby’ command. This will reload the Primary Unit and it will boot up with version 8.3(2). Once configuration replicated is done, make Primary Unit Active. Connect to active unit and use ‘sh flash’ command, there will be some files on the drive such that old configuration, any errors encountered during upgrade.

 

ASA# sh flash
—————-omitted—————

  172  38532       May 27 2012 19:09:04  8_2_1_0_startup_cfg.sav
  173  2710        May 27 2012 19:09:18  upgrade_startup_errors_201205271809.log
—————-omitted—————

 

13. Now, its time to upgrade to 8.4(9). Use the following boot commands to make units boot with new version

ASA(Config)#no boot system disk0:/asa821-k8.bin
ASA(Config)#no boot system disk0:/asa832-k8.bin
ASA(Config)#boot system flash:asa844-k8.bin
ASA(Config)#boot system flash:asa832-k8.bin
ASA(Config)#boot system flash:asa821-k8.bin

 

14. Use the ‘wr mem’ command to write config to startup and reload the secondary unit. (commands to do this already discussed).

15. Once the Secondary Unit is back online and monitoring status is normal, make Secondary unit Active and reload the Primary unit.

16. Once the Primary Unit is reloaded and monitoring status is back to normal, make Primary Unit active.  Again on the flash you would be able to see files created for old config saved and also errors or some config statement which are not used in the new version.

 

ASA# sh flash

—————-omitted—————

  172  38532       May 27 2012 19:09:04  8_2_1_0_startup_cfg.sav
  173  2710        May 27 2012 19:09:18  upgrade_startup_errors_201205271809.log
  130  0           May 27 2012 19:19:18  nat_ident_migrate
  131  38636       May 27 2012 19:19:18  8_3_2_0_startup_cfg.sav
  176  1816        May 27 2012 19:19:30  upgrade_startup_errors_201205271819.log

—————-omitted—————

 

17. That's all done with both Units running ASA 8.4(9) version of the software and ASDM 6.2(5)53. You can now remove the other boot statements as below. Also remove the old image files from the flash.

 

ASA(Config)#no boot system disk0:/asa832-k8.bin
ASA(Config)#no boot system disk0:/asa821-k8.bin

 

1 comment

  1. tariq

    for network what does asa supports

Leave a Reply

%d bloggers like this: