Tuesday, March 2, 2010

Zero Downtime Firmware Upgrade for Cisco ASA Active/Standby

We have a pair of Cisco ASA 5520 configured in Active/Standby mode. Both management interfaces share the same IP address. But, how do you upgrade both firmwares with zero down-time remotely? (Note: Both nodes may sync their configuration and state but not the ASA image).

SSH to the active node. Upgrade its image by doing "copy tftp: flash:" and configure the system to boot from new image "boot system image". Force the standby unit to take over by executing "failover exec standby failover active". The first part "failover exec standby" is to send command to the standby unit. "failover active" is to force the unit to takeover the active role. The connection will drop. Once you reconnect, you will be connecting to the other node. Repeat the same process on this newly active node mentioned in the first sentence of this paragraph. You may reload the standby unit for the new firmware to take effect by executing "failover reload-standby" from the active node when the upgrade is complete.

3 comments:

  1. Instead of forcing standby unit to take over e.g. "failover exec standby failover active", you can also let the active unit to give up its active status by executing "no failover active".

    ReplyDelete
  2. Hi Samuel, check with you. What do you think of the steps recommended by cisco on this link :
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mswlicfg.html#wp1057338
    as I find a slight different steps related to upgrading HA asa. Have you happen to tried Cisco's steps before? Thanks.

    ReplyDelete
    Replies
    1. In my earlier post, I realised there was a better and neater option of using "no failover active" instead of doing remote exec.

      Delete