Firstly let me say that I don't know what's up with me today. It's either down to not enough coffee, or just being plain tired. Either way this is a shameful post.
I have done ASA upgrades numerous times, both on single units and in failover pairs. They all went fine. Today though my brain just isn't engaging in order to make something that's second nature, a straight forward process.
So when you do an ASA upgrade the process is to copy the new files (the ASA bin file and ASDM bin file) to the firewalls disk.
I did this on the primary through ASDM, then went and changed the boot order and the ASDM image.
asa# configure terminal asa(config)# boot system disk0:/asa915-smp-k8.bin asa(config)# asdm image disk0:/asdm-716.bin asa(config)#I then found that I could not copy the files to the secondary ASA. FTP would not work, TFTP would not work, both had different errors, probably due to antivirus/firewall or something on the Windows box, and I could not get in to ASDM on the public IP or the inside address of the secondary.
I tried to fail over in the hope that if it was the primary I could get in again, but same issue.
Much cursing later I realised that if I changed the boot order back to the original settings then I could again access the secondary through ASDM.
Once the newer ASA and ASDM image were loaded onto the secondary, I set the boot order on the primary to the later version (9.1.5), and set the ASDM image version (7.1.6).
All is good, versions match. Let's failover.
After failover the secondary came up and the version was still at the same as before (9.1.3), and the ASDM was at 7.1.4.
I checked the boot order on the secondary, looked fine, all set as I wanted. Files were still present, so what was wrong? Checked running config - again all looked ok.
Stupidly I had not saved the config on the primary - so when the secondary booted up the startup config referenced the old versions, but once it was up the failover process sent the primary's running-config onto the standby, which is why it all looked fine.
After a bit more cursing and wanting to kick myself I saved the config, reloaded the standby, which then came up in the right version, failed over and reloaded the other ASA.
Both are now on the newer versions of ASA and ASDM, and I feel like a fool.
How to properly do an ASA failover pair upgrade
Copy the files to BOTH ASAs - its easy to do with ASDM - Tools > File Management and copy them over.Set the boot system image and the asdm image (as above)
Then SAVE the config (copy run start)
Reload the standby unit:
asa#failover reload-standbyMake sure it all comes up ok, check failover looks fine
asa#sh failover | i Version" Version: Ours 9.1(3), Mate 9.1(5)Make the primary unit the standby, you can do this from the primary with the command:
asa#no failover activeAnd then reload the standby using the reload-standby command again.
Lastly check failover again:
asa#sh failover | i Version" Version: Ours 9.1(5), Mate 9.1(5)If all goes well it should be completed within about 15 minutes at the most! If you are using SSH then you might need to reconnect after the failover.
If you need me I'll be standing in the corner...
2 comments
commentsI have never done an IOS upgrade on an ASA and this is probably the easiest explanation of what to do AND what NOT to do. This beats reading the cisco documentation which has what seems like 10,000 variables to consider when upgrading. Appreciated.
ReplyGlad you found it useful Carrie!
Reply