KB ID 0000733
Problem
You have two ASA firewalls deployed in Active/Standby failover configuration, and need to upgrade either the operating system or the ASDM. As you already have a high availability solution you do not want any downtime.
Before we start, we need to make sure we know the difference between primary, secondary, active and standby.
From the rear (Active=Green, Standby=Amber)
The Primary and Secondary firewalls are physical firewalls, the primary will always be the primary, and the secondary will always be the secondary. (Unless you manually change the configuration to force things otherwise!).
The Active firewall will be the firewall that’s passing traffic and in operation, and the Standby firewall is sat waiting to take over, each physical firewall can be either active or standby.
Solution
To get updates from Cisco you need to have a valid support agreement for your firewalls and a Cisco CCO account to log in with. (download link)
In this example, I’m going to upgrade both the firewalls from 8.4(5) to 9.1(1), and the ASDM from version 7.1(1) to 7.1(1)-52. When we start, the primary firewall is the active firewall.
In the past I’ve upgraded from 8.2(5) to 8.4(5), and (here) 8.4(5) to 9.1(1). I’ve never had a problem HOWEVER, DO NOT ATTEMPT an upgrade until you have a good backup of the config.
Backup and Restore a Cisco Firewall
1. First you need to upload the software to the flash memory on BOTH firewalls, you can either connect to the ASA via command line and TFTP them there, or connect to the ASDM and upload them from your PC/Laptop. If you have an AnyConnect XML profile take a backup of that also (I’ve seen them disappear).
Install and Use a TFTP Server
Upload via Command Line
[box]
UPLOAD THE OPERATING SYSTEM Petes-ASA> enable Password:********* Petes-ASA#copy tftp flash Address or name of remote host []? 10.0.0.127 Source filename []? asa911-k8.bin Destination filename [disk0]? asa911-k8.bin Accessing tftp://10.1.0.127/asa911-k8.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <<<<Removed lots for the sake of Space>>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:asa911-k8.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!! <<<<Removed lots for the sake of Space>>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27260928 bytes copied in 49.250 secs (556345 bytes/sec) UPLOAD THE ASDM SOFTWARE Petes-ASA#copy tftp flash Address or name of remote host []? 10.0.0.127 Source filename []? asdm-711-52.bin Destination filename [disk0]? asdm-711-52.bin Accessing tftp://10.1.0.127/asdm-711-52.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <<<<Removed lots for the sake of Space>>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:asdm-711-52.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!! <<<<Removed lots for the sake of Space>>>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 17790720 bytes copied in 32.200 secs (555960 bytes/sec)
[/box] Upload via ASDM Connect to the ASDM > Tools > File Management > File Transfer > Between Local PC and Flash > Navigate to the file(s) on your local machine > Upload.
REMEMBER TO DO THIS FOR BOTH FIREWALLS! Note: You can copy the file to the standby firewall’s flash memory, from the primary firewall, using the following syntax (though I usually just swap the console cable over!).
[box]
Petes-ASA(config)# failover exec mate copy tftp://10.0.0.115/asa911-k8.bin disk0:/asa911-k8.bin
[/box]
2. On the Primary Active Firewall, set the new OS as the default, below I check to see what file the ASA will boot from, then I change it to the new one, finally I remove the link to the old file. You don’t need to carry out the last step, but I like to leave things tidy.
[box]
Petes-ASA# show running-config boot system boot system disk0:/asa845-k8.bin Petes-ASA# configure terminal Petes-ASA(config)# boot system disk0:/asa911-k8.bin Petes-ASA(config)# no boot system disk0:/asa845-k8.bin Petes-ASA# show running-config boot system boot system disk0:/asa911-k8.bin
[/box]
3. If you are also upgrading the ASDM, you need to set the new one as the default image.
[box]
Petes-ASA(config)# asdm image disk0:/asdm-711-52.bin Petes-ASA(config)# show run asdm image asdm image disk0:/asdm-711-52.bin no asdm history enable
[/box]
4. Save the changes.
[box]
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: e150e036 036082e0 6d054a3d 1c7fd9fa
16257 bytes copied in 3.350 secs (5419 bytes/sec) [OK]
[/box]
5. Whilst still on the primary active firewall, you need to reboot the secondary standby firewall with the following command:
[box]
Petes-ASA(config)# failover reload-standby
YOU MAY SEE A WARNING LIKE THE FOLLOWING - THIS IS OK
************WARNING****WARNING****WARNING********************************
Mate version 9.1(1) is not identical with ours 8.4(5)
************WARNING****WARNING****WARNING********************************
Beginning configuration replication: Sending to mate. End Configuration Replication to mate
Petes-ASA(config)#
[/box]
6. This may take a little while, remember it has to reboot, and depending on the version you are upgrading to, may need to change some of the config i.e. in this case of upgrading pasr 8.3 (and newer) all the NAT rules need to be changed. You can check to see if it’s back online by issuing a ‘show failover command (whilst still on the primary firewall). You will know when the secondary firewall is up and ready as you will see ‘Secondary – Standby Ready’.
Note: If you can see the status lights on the standby firewall watch for them to be green,green,amber,green,off (ASA5510).
Warning: Due to the limitations of HTML, your output will be formatted a little differently, you will see the output displayed like this, but the text is the same.
[box]
Petes-ASA(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failover Management0/0 (up) Unit Poll frequency 1 seconds, holdtime 3 seconds Interface Poll frequency 3 seconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 110 maximum Version: Ours 8.4(5), Mate 9.1(1) Last Failover at: 13:25:54 GMT/BST Dec 6 2012 This host: Primary - Active Active time: 350 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys) Interface outside (123.123.123.123): Normal (Monitored) Interface inside (10.0.0.254): Normal (Monitored) Interface backup (234.234.234.235): Normal (Monitored) slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.2.1599.0) status (Up/Up) Logging port IP: 10.0.0.252/24 CSC SSM, 6.2.1599.0, Up Other host: Secondary - Standby Ready <<<<<< Here we go! Active time: 326 (sec) slot 0: ASA5510 hw/sw rev (2.0/9.1(1)) status (Up Sys) Interface outside (123.123.123.124): Normal (Monitored) Interface inside (10.0.0.249): Normal (Monitored) Interface backup (234.234.234.234): Normal (Monitored) slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.3.1172.0) status (Up/Up) Logging port IP: 10.0.0.248/24 CSC SSM, 6.3.1172.0, Up Stateful Failover Logical Update Statistics Link : failover Management0/0 (up) Stateful Obj xmit xerr rcv rerr General 1709 0 491 49 sys cmd 58 0 58 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 896 0 244 48 UDP conn 280 0 45 1 ARP tbl 474 0 141 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 VPN IKEv1 SA 0 0 1 0 VPN IKEv1 P2 1 0 1 0 VPN IKEv2 SA 0 0 0 0 VPN IKEv2 P2 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Route Session 0 0 0 0 User-Identity 0 0 1 0 Logical Update Queue Information Cur Max Total Recv Q: 0 24 2101 Xmit Q: 0 1 2311 Petes-ASA(config)#
[/box]
7. Now you need to force a failover to the secondary firewall, (again do this on the primary active firewall).
[box]
Petes-ASA(config)# no failover active
Petes-ASA(config)#
Switching to Standby
[/box]
8. Now reboot the primary firewall and that should boot to its new operating system.
[box]
Petes-ASA(config)# reload Proceed with reload? [confirm] {Enter}
[/box]
9. Once complete, log back in and you can make the primary firewall active once more.
[box]
Petes-ASA> Detected an Active mate Beginning configuration replication from mate. Petes-ASA> End configuration replication from mate. Petes-ASA> en Password:********* Petes-ASA# configure terminal **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. Petes-ASA(config)# failover active Switching to Active
[/box]