Configuring Cisco HSRP

KB ID 0000946 

Problem

Cisco HSRP: Normally your client machines have one route off the network, (their default gateway). But what if that goes down? HSRP aims to solve this problem by assigning a ‘Virtual IP address’ to your default gateway (or default route). So that IP can be shared amongst two or more possible devices (routers, or layer 3 switches).

Above, we have a client 192.168.1.10 that has two possible routes off the network, (.254 and .253). We will setup a virtual IP of .250 and both routers can use that IP, (if they are the active gateway). Below is a brief overview of how to set it up.

Deploy Cisco HSRP

Setting up Cisco HSRP

1. On the first router (Router0), add the standby IP address (192.168.1.250) the ‘1’ denotes the standby group (a number from 0 to 4096). It comes up as standby, then after it has checked (via multicast address 224.0.0.2 on UDP port 1985). It finds no other live HSRP devices using that IP address so it becomes ‘Active’.

[box]

Router0>enable
Router0#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#interface GigabitEthernet0/0
Router0(config-if)#standby 1 ip 192.168.1.250
Router0(config-if)#

%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby

%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active

Router0(config-if)#

[/box]

2. Repeat this on the second Router, this one discovers the ‘Active’ router and sets itself up as ‘Standby’.

[box]

Router1>
Router1>enable
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 ip 192.168.1.250
Router1(config-if)#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby

Router1(config-if)#

[/box]

3. You can prove this by running show standby (or do show standby in configure terminal mode).

[box]

Router0

Router0#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Active
8 state changes, last state change 00:02:02
Virtual IP address is 192.168.1.250
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.055 secs
Preemption disabled
Active router is local
Standby router is 192.168.1.253
Priority 100 (default 100)
Group name is hsrp-Gig0/0-1 (default)
Router0#

Router1

Router1#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Standby
3 state changes, last state change 00:10:44
Virtual IP address is 192.168.1.250
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.125 secs
Preemption disabled
Active router is 192.168.1.254
Standby router is local
Priority 100 (default 100)
Group name is hsrp-Gig0/0-1 (default)
Router1#

[/box]

4. That is HSRP configured! However there are a few changes you might want to make, for example, what if one router had a 100MB leased line, and the other was a 2MB ADSL line, you would want the fastest one to be in use, (as long as it was up). To achieve that, give the router with the fastest connection a higher priority (you may notice above, that by default the priority is 100). Be aware, even if a router has the highest priority, it wont ‘seize’ the virtual IP, it just sits and waits until it’s available. For our 100MB and 2MB example that’s not good. We would want Router1 to seize the virtual IP as soon as it can. To do that we need to set it to preempt. (Note: This process is called ‘launching a coup’).

[box]

Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 priority 105
Router1(config-if)#standby 1 preempt

[/box]

5. At this point it’s important to say, that in our scenario we would also need to setup a virtual IP for the ‘other side’ of the routers (i.e their GigabitEthernet 0/1 interfaces), or the remote client (172.16.1.10) would not be able to return our ‘pings’ or get any traffic back to us. So lets setup a virtual HSRP address on that side as well. Notice I just use another standby group number.

Note: To work the remote host 172.16.1.10 will need its default gateway changing to the HSRP Virtual IP of 172.16.1.250.

[box]

Router0 

Router0(config)#interface GigabitEthernet0/1
Router0(config-if)#standby 2 ip 172.16.1.250
Router0(config-if)#

Router1

Router1(config)#interface GigabitEthernet0/1
Router1(config-if)#standby 2 ip 172.16.1.250
Router1(config-if)#

[/box]

6. Finally we have set Router0 with the highest priority and set it to seize the virtual IP as soon as it can. But what if another interface on Router1 goes down? e.g. If the GigabitEthernet 0/1 interface were to go down, HSRP would not do anything because it’s tracking both the GigabitEthernet 0/0 interfaces, so communications would fail.

To solve the problem we need to tell it which interfaces to ‘Track’. In our example we need to track GigabitEthernet 0/1, if that goes down we need to give the virtual IP address to the standby ‘router’. This works because once we tell it to ‘track’ the GigabitEthernet 0/1 interface, if that were to fail it will DECREMEMT the routers priority by 10. So for Router0 its priority would drop to 95, this is five less than the default value of 100 (on Router1). But Remember, at the moment that fail-over would still fail, unless you allow Router1 to preempt and launch a coup.

[box]

Router0 

Router0(config)#interface GigabitEthernet0/0
Router0(config-if)#standby 1 track GigabitEthernet0/1
Router0(config-if)#

Router1

Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 preempt
Router1(config-if)#

[/box]

7. We can see that by running a ‘show standby’ on Router0.

[box]

Router0#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Active
7 state changes, last state change 00:00:31
Virtual IP address is 192.168.1.250
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.81 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.253, priority 115 (expires in 7 sec)
Priority 115 (configured 115)
Track interface GigabitEthernet0/1 state Up decrement 10
Group name is hsrp-Gig0/0-1 (default)
GigabitEthernet0/1 - Group 2 (version 2)
State is Active
6 state changes, last state change 00:00:28
Virtual IP address is 172.16.1.250
Active virtual MAC address is 0000.0C9F.F002
Local virtual MAC address is 0000.0C9F.F002 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.81 secs
Preemption disabled
Active router is local
Standby router is 172.16.1.253
Priority 100 (default 100)
Group name is hsrp-Gig0/1-2 (default)
Router0#

[/box]

Related Articles, References, Credits, or External Links

NA

Window Server – Configuring NIC Teaming

KB ID 0000786 

Problem

One great new feature of Server is bult in network ‘Teaming’. To do this normally takes some third party software, either form the server vendor (HP Teaming) or from the NIC manufacturer.

It utilises a new Windows feature called LBFO, this lets you both aggregate links, and have links available in the event of failover.

Note: NIC Teaming only supports up to 32 network cards.

Solution

1. Launch Server manager > All Servers > Select the server you ant to create a team on > Right Click > Configure NIC Teaming.

2. Select the NICs you want to add to the team > Right Click > Add to New Team.

3. Give the Team a name > OK.

Note: By default ‘Switch independent’ will be selected, this is probably what you want (see below) > OK.

Windows Server 2012 NIC Teaming Modes

Static Teaming: Requires configuration on the switch, which must be configured for IEEE 803.3ad (draft v1).

Switch Independent: Generally requires no switch configuration and can be connected to multiple switches.

LACP: Requires configuration on the switch, which must be configured for IEEE 802.1ax, and support LACP. Note: On a Cisco Catalyst this would be a port-channel, on an HP Networking switch this would be called an LACP trunk.

4. Now if you look under ‘Network Connections’ you will see a new one with the name you created.

5. Configure this new Teamed NIC, and simply treat it as a single network card.

Configure Teaming via PowerShell

To do the same as we did above use the following command;

[box]

New-NetLbfoTeam -Name TEAM -TeamMembers NIC1,NIC2,NIC3,NIC4 -TeamingMode SwitchIndependent

[/box]

Related Articles, References, Credits, or External Links

NA

Juniper SRX – ‘The Routing Subsystem Is Not Running’

KB ID 0001045 

Problem

While trying to deploy Solarwinds to monitor a Juniper SRX failover cluster, we were having no joy connecting to the management interface of the secondary/standby firewall. The management (fxp0) interface on the primary (node0) firewall we could get to OK.

]

After jumping on the secondary firewall (via the console connection) we observed the following;

error: the routing subsystem is not running

Solution

As you can see (above) I couldn’t get the routing services started. And I soon found out, this is quite normal, the primary (active) firewall maintains the routing instance, the secondary firewall does not.

Well that fine but what about out Solarwinds box, what happens if the secondary firewall goes down? No one would know, and we also can’t take daily backups of its config.

To fix this problem you need to use the ‘backup-router’ command. This lets the appliance maintain some routes in the event that it is not hosting the live routing instance.

1. I’ll connect to to the primary firewall from this console session on the secondary firewall with the following command;

[box]request routing-engine login node0[/box]

2. Now I can add the backup-router routes, but assign them to the secondary (node1) firewall. Note: Where 192.168.100.1 is the next hop.

[box]

To get traffic back to the Solarwinds Management Server

set groups node1 system backup-router 192.168.100.1 destination 10.1.20.10/32

To get traffic back to the Cisco ACS Appliance

set groups node1 system backup-router 192.168.100.1 destination 10.1.20.10/32

[/box]

3. Don’t forget if the firewalls failover you will have the same problem (but the opposite way round), so I need the same to the primary node as well.

[box]

To get traffic back to the Solarwinds Management Server

set groups node0 system backup-router 192.168.100.1 destination 10.1.20.10/32

To get traffic back to the Cisco ACS Appliance

set groups node0 system backup-router 192.168.100.1 destination 10.1.20.10/32

[/box]

3. Save the config with a ‘commit’ command.

Related Articles, References, Credits, or External Links

NA

 

Cisco CSC – Upgrade the Operating System

KB ID 0000807 

Problem

Upgrading the operating system on the CSC module is pretty straight forward, as long as you have a valid support agreement for your hardware and a CCO account you can download the updates straight from Cisco (here).

Solution

WARNING: It’s rare that you can update straight to the latest version, by all means try, and the CSC module will simply error if it will not accept the version you are trying to update to.

WARNING 2: This may involve some downtime, especially if your CSC module is configured to fail-closed, you may wish to set it to fail-open during the upgrade to minimise disruption. Unless you have a dual failover firewall solution, in which case scroll down.

You can do this via command line if you wish, but it’s a lot simpler to do via the web console. You will need to download your updated software (with the .pkg extension NOT the .bin extension).

Once downloaded, log into the web portal of the CSC module https://{IP-Address}:8443 > Administration > Product Upgrade > Browse > Locate your update > Upload > Go an have a coffee, it will take a while.

Upgrading CSC Modules in a Failover Pair

If you have firewalls deployed in failover, then you will have two CSC modules to upgrade.

1. Just for ease I’m showing the command line and the web console view. Start by upgrading the CSC module in the Secondary Standby firewall, here I’m upgrading 6.3.1172.0 to 6.3.1172.4.

2. Now I take the same module to 6.6.1125.0.

3. Once I know the system has updated and is back online, I jump onto the Primary Active firewall and force a failover to the Secondary Standby firewall.

Check module status with;

[box]
show module 1 detail
[/box]

To force failover, on the Primary Active firewall.

[box]

configure terminal
no failover active

[/box]

4. Note: At this point the screen looks the same as above, but ‘physically’ the firewalls have swapped over, the Primary is now Standby and can be updated. Below I’m upgrading from 6.2.1599.0 to 6.2.1599.6.

5. Now we can see both modules are running the latest (at time of writing), product version.

6. Now to fail back simply issue the following command an the Secondary Active firewall;

[box]

configure terminal
no failover active

[/box]

7. You can also check the versions match with the following command;

[box]
show failover
[/box]

Related Articles, References, Credits, or External Links

NA

ASA 5505 Determine Your License Version

KB ID 0000701

Problem

If you are having problems with internal clients NOT getting through the firewall, the license on your ASA 5505 may be ‘to small’.

ASA 5505 License Differences

Essentially the licenses come in 10 user, 50 user, and unlimited*. You can also have a Security Plus License, this increases IPSEC VPN’s from 10 to 25, and adds Active/Standby failover, Dual ISP Support, and DMZ Support.

*Note: These figures are the concurrent total users, for internal clients making connections through the firewall, from the internal VLAN to the external VLAN (not between internal VLANS). If you have no default route defined then the limit is placed in ALL hosts on ALL VLANS.

From Cisco 

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.

Solution

To locate your license version issue the following command whilst in enable mode. ‘sho ver or show version’.

code?

ASA 5505 10 User License

ASA5505 50 User License

ASA 5505 Unlimited License

ASA 5505 Security Plus License

Related Articles, References, Credits, or External Links

Find out your Cisco ASA version (Operating system and ASDM)

Cisco ASA 5500 – Adding Licenses

 

Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade

KB ID 0000733

Problem

You have two ASA firewalls deployed in Active/Standby failover configuration, and need to upgrade either the operating system or the ASDM. As you already have a high availability solution you do not want any downtime.

Before we start, we need to make sure we know the difference between primary, secondary, active and standby.

From the rear (Active=Green, Standby=Amber)

The Primary and Secondary firewalls are physical firewalls, the primary will always be the primary, and the secondary will always be the secondary. (Unless you manually change the configuration to force things otherwise!).

The Active firewall will be the firewall that’s passing traffic and in operation, and the Standby firewall is sat waiting to take over, each physical firewall can be either active or standby.

Solution

To get updates from Cisco you need to have a valid support agreement for your firewalls and a Cisco CCO account to log in with. (download link)

In this example, I’m going to upgrade both the firewalls from 8.4(5) to 9.1(1), and the ASDM from version 7.1(1) to 7.1(1)-52. When we start, the primary firewall is the active firewall.

In the past I’ve upgraded from 8.2(5) to 8.4(5), and (here) 8.4(5) to 9.1(1). I’ve never had a problem HOWEVER, DO NOT ATTEMPT an upgrade until you have a good backup of the config.

Backup and Restore a Cisco Firewall

1. First you need to upload the software to the flash memory on BOTH firewalls, you can either connect to the ASA via command line and TFTP them there, or connect to the ASDM and upload them from your PC/Laptop. If you have an AnyConnect XML profile take a backup of that also (I’ve seen them disappear).

Install and Use a TFTP Server

Upload via Command Line

[box]

UPLOAD THE OPERATING SYSTEM

Petes-ASA> enable
Password:*********  
Petes-ASA#copy tftp flash 

Address or name of remote host []? 10.0.0.127

Source filename []? asa911-k8.bin

Destination filename [disk0]? asa911-k8.bin

Accessing tftp://10.1.0.127/asa911-k8.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<<<<Removed lots for the sake of Space>>>>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
Writing file disk0:asa911-k8.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!! 

<<<<Removed lots for the sake of Space>>>> 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

27260928 bytes copied in 49.250 secs (556345 bytes/sec)

UPLOAD THE ASDM SOFTWARE

Petes-ASA#copy tftp flash 

Address or name of remote host []? 10.0.0.127

Source filename []? asdm-711-52.bin

Destination filename [disk0]? asdm-711-52.bin

Accessing tftp://10.1.0.127/asdm-711-52.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<<<<Removed lots for the sake of Space>>>> 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
Writing file disk0:asdm-711-52.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!! 

<<<<Removed lots for the sake of Space>>>> 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

17790720 bytes copied in 32.200 secs (555960 bytes/sec)

[/box] Upload via ASDM Connect to the ASDM > Tools > File Management > File Transfer > Between Local PC and Flash > Navigate to the file(s) on your local machine > Upload.

REMEMBER TO DO THIS FOR BOTH FIREWALLS! Note: You can copy the file to the standby firewall’s flash memory, from the primary firewall, using the following syntax (though I usually just swap the console cable over!).

[box]

Petes-ASA(config)# failover exec mate copy tftp://10.0.0.115/asa911-k8.bin disk0:/asa911-k8.bin

[/box]

2. On the Primary Active Firewall, set the new OS as the default, below I check to see what file the ASA will boot from, then I change it to the new one, finally I remove the link to the old file. You don’t need to carry out the last step, but I like to leave things tidy.

[box]

Petes-ASA# show running-config boot system
boot system disk0:/asa845-k8.bin
Petes-ASA# configure terminal
Petes-ASA(config)# boot system disk0:/asa911-k8.bin
Petes-ASA(config)# no boot system disk0:/asa845-k8.bin
Petes-ASA# show running-config boot system
boot system disk0:/asa911-k8.bin

[/box]

3. If you are also upgrading the ASDM, you need to set the new one as the default image.

[box]

Petes-ASA(config)# asdm image disk0:/asdm-711-52.bin
Petes-ASA(config)# show run asdm image
asdm image disk0:/asdm-711-52.bin
no asdm history enable

[/box]

4. Save the changes.

[box]

Petes-ASA(config)# write mem 

Building configuration...

Cryptochecksum: e150e036 036082e0 6d054a3d 1c7fd9fa

16257 bytes copied in 3.350 secs (5419 bytes/sec) [OK]

[/box]

5. Whilst still on the primary active firewall, you need to reboot the secondary standby firewall with the following command:

[box]

Petes-ASA(config)# failover reload-standby
YOU MAY SEE A WARNING LIKE THE FOLLOWING - THIS IS OK

************WARNING****WARNING****WARNING******************************** 
Mate version 9.1(1) is not identical with ours 8.4(5) 
************WARNING****WARNING****WARNING******************************** 
Beginning configuration replication: Sending to mate. End Configuration Replication to mate
Petes-ASA(config)#

[/box]

6. This may take a little while, remember it has to reboot, and depending on the version you are upgrading to, may need to change some of the config i.e. in this case of upgrading pasr 8.3 (and newer) all the NAT rules need to be changed. You can check to see if it’s back online by issuing a ‘show failover command (whilst still on the primary firewall). You will know when the secondary firewall is up and ready as you will see ‘Secondary – Standby Ready’.

Note: If you can see the status lights on the standby firewall watch for them to be green,green,amber,green,off (ASA5510).

Warning: Due to the limitations of HTML, your output will be formatted a little differently, you will see the output displayed like this, but the text is the same.

[box]

Petes-ASA(config)# show failover

Failover On Failover unit Primary Failover LAN Interface: 
failover Management0/0 (up) 
Unit Poll frequency 1 seconds, 
holdtime 3 seconds 
Interface Poll frequency 3 seconds, 
holdtime 15 seconds 
Interface Policy 1 
Monitored Interfaces 3 of 110 maximum 
Version: Ours 8.4(5), Mate 9.1(1) 
Last Failover at: 13:25:54 GMT/BST Dec 6 2012 
This host: Primary - Active Active time: 350 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys) 
Interface outside (123.123.123.123): Normal (Monitored) 
Interface inside (10.0.0.254): Normal (Monitored) 
Interface backup (234.234.234.235): Normal (Monitored) 
slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.2.1599.0) status (Up/Up) 
Logging port IP: 10.0.0.252/24 CSC SSM, 6.2.1599.0, Up 
Other host: Secondary - Standby Ready <<<<<< Here we go! 
Active time: 326 (sec) slot 0: ASA5510 hw/sw rev (2.0/9.1(1)) status (Up Sys) 
Interface outside (123.123.123.124): Normal (Monitored) 
Interface inside (10.0.0.249): Normal (Monitored) 
Interface backup (234.234.234.234): Normal (Monitored) 
slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.3.1172.0) status (Up/Up)

Logging port IP: 10.0.0.248/24
CSC SSM, 6.3.1172.0, Up
Stateful Failover Logical Update Statistics 
Link : failover Management0/0 (up) 
Stateful Obj xmit xerr rcv rerr 
General 1709 0 491 49 
sys cmd 58 0 58 0 
up time 0 0 0 0 
RPC services 0 0 0 0 
TCP conn 896 0 244 48 
UDP conn 280 0 45 1 
ARP tbl 474 0 141 0 
Xlate_Timeout 0 0 0 0 
IPv6 ND tbl 0 0 0 0 
VPN IKEv1 SA 0 0 1 0 
VPN IKEv1 P2 1 0 1 0 
VPN IKEv2 SA 0 0 0 0 
VPN IKEv2 P2 0 0 0 0 
VPN CTCP upd 0 0 0 0 
VPN SDI upd 0 0 0 0 
VPN DHCP upd 0 0 0 0 
SIP Session 0 0 0 0 
Route Session 0 0 0 0

User-Identity 0 0 1 0
Logical Update Queue Information Cur Max Total Recv Q: 0 24 2101 Xmit Q: 0 1 2311
Petes-ASA(config)#

[/box]

7. Now you need to force a failover to the secondary firewall, (again do this on the primary active firewall).

[box]

Petes-ASA(config)# no failover active
Petes-ASA(config)#
Switching to Standby

[/box]

8. Now reboot the primary firewall and that should boot to its new operating system.

[box]

Petes-ASA(config)# reload
Proceed with reload? [confirm] {Enter}
[/box]

9. Once complete, log back in and you can make the primary firewall active once more.

[box]

Petes-ASA>

Detected an Active mate Beginning configuration replication from mate.

Petes-ASA> 

End configuration replication from mate. 
Petes-ASA> en 
Password:********* 
Petes-ASA# configure terminal 
**** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. 

Petes-ASA(config)# failover active  

Switching to Active

[/box]

Related Articles, References, Credits, or External Links

Deploy Cisco ASA 55xx in Active / Standby Failover

Cisco ASA5500 Update System and ASDM (From CLI)