ASA OS Upgrade Active/Standby

February 26, 2019 / Balaji Bandi / 0 Comments

ASA 5585X Cluster / Multi Context

Pre-reqs

1) Config Backup
“more system:running-config”

HA Active/Standby

1) Check the upgrade path on the release notes of the new version for the ASA model.
2) {9.4(2)11} -> {9.8(3)18}
3) Note the MD5 hash for all versions

4) (Optional) Make sure the current ASDM version is compatible with the new ASA version, if required upgrade
“conf t
asdm image disk0:/{asdm-792-152.bin}
end
wr”


5) Note which device is Primary/Secondary and which is Active/Standby
“show failover”

6) Upload the all required images to both ASAs,
“copy {Source}:/{asa983-18-smp-k8.bin} disk0:/”
Repeat for all versions


7) Verify the Images are not corrupt on both ASAs,
“verify /md5 disk0:/{asa983-18-smp-k8.bin}”
Compare with Md5 Hash on Cisco’s website noted in Step 3
Repeat for all versions


8) Verify both ASAs have all the required files uploaded, including the ASDM and AnyConnect images
“dir”


9) Check which image is currently being used on the Active ASA
“show boot”
“show run | inc boot”


10) Remove any images referenced in the running config on the Active ASA
“conf t
no boot system image disk0:/{asa942-11-smp-k8.bin}
end”


11) Change the boot variable to point to the desired image and save the config
“conf t
boot system image disk0:/{asa983-18-smp-k8.bin}
end
wr”


11a) If “Primary/Active and Seconday/Standby” follow Step 11, if “Secondary/Active and Primary/Standby” follow Step 12
11a) Primary/Active and Seconday/Standby

  • On the Active ASA *
    “failover reload-standby”
    11b) Wait for the Standby ASA to come back online, once online verify it has been upgraded
  • On Active ASA *
    “failover exec standby show version”
    11c) Fail over services to Secondary ASA
  • On Active ASA *
    “no failover active”
    Verify the Secondary ASA is now Active
    “show failover”
    11d) Upgrade the Primary/Standby ASA
  • On the Active ASA *
    “failover reload-standby”
    11e) Wait for the Standby ASA to come back online, once online verify it has been upgraded
  • On Active ASA *
    “failover exec standby show version”
    11f) Failback over services to Primary ASA
  • On Active ASA *
    “no failover active”
    12a) Secondary/Active and Primary/Standby
  • On the Active ASA *
    “failover reload-standby”
    12b) Wait for the Standby ASA to come back online, once online verify it has been upgraded
  • On Active ASA *
    “failover exec standby show version”
    12c) Fail over services to Primary ASA
  • On Active ASA *
    “no failover active”
    Verify the Primary ASA is now Active
    “show failover”
    12d) Upgrade the Secondary/Standby ASA
  • On the Active ASA *
    “failover reload-standby”
    12e) Wait for the Standby ASA to come back online, once online verify it has been upgraded
  • On Active ASA *
    “failover exec standby show version”
    12f) Failback over services to Secondary ASA
  • On Active ASA *
    “no failover active”
    13) Repeat the steps 9, 10 and 11 or 9, 10 and 12 until the ASAs are on the desired version