Cisco Firewall :: HA Pair Of ASA 5520s Upgrade Procedure
Jan 6, 2012
I'll be upgrading an HA pair of ASA 5520s next week, and wanted to clarify the procedure. I read "Upgrading an Active/Standby Failover Configuration" at [URL] which suggests placing the image on both units, updating boot statements, then issuing failover reload-standby. But I was wondering if there's a way to a way to be a bit safer. I'd like to modify the standby unit, without affecting the config on the active. So I'd like to modify the boot statement on the standby without modifying the active config. That way incase there's a problem and the active reboots, it won't upgrade.
Can I modify the config on the standby without affecting the active? Then I'd like to test the newly upgraded unit with our production traffic. Would that simply be no failover active, and then once the standby becomes active -- test traffic? Once everything is okay, I would upgrade the second unit, and fail traffic back.
View 3 Replies
ADVERTISEMENT
Jun 29, 2011
I have a pair of 5520s running 8.2(3) in failover active/standby, routed mode. I have an issue with SSH as it's stopped worked after a short time, less than 8hrs during the network being installed, telnet is working fine as is https/asdm. I have re-created the crypto key and the ssh access is allowed. When I try to connect I just get a flashing cursor, telnet to the ip and port 22 also works.
View 1 Replies
View Related
Aug 17, 2011
I am a bit unclear as to the upgrade path I should take - I have 2 ASA 5510s in active/standby running 8.0(4)34 and would like to upgrade to 8.2.5. Do I need to first upgrade to 8.0.(5) before upgrading to 8.2.5, or can I just jump straight to 8.2.5?
View 4 Replies
View Related
Dec 6, 2012
Preparing to upgrade the IOS on a failover pair of ASA 5580's and was wandering what is gonna happen after I've upgraded the IOS on the standby unit and rebooted. How is the active unit going to react when it sees an IOS mismatch prior to me making the standby the primary and upgrading it's IOS ?
View 2 Replies
View Related
Jan 17, 2012
Can I upgrade Active/standby pair from 7.2(4) to 8.0(5)25 directly or need to upgrade to 8.0.2/4 first? Upgrade an Active/Standby Failover ConfigurationComplete these steps in order to upgrade two units in an Active/Standby failover configuration:Download the new software to both units, and specify the new image to load with the boot system command.Refer to Upgrade a Software Image and ASDM Image using CLI for more information.Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:active#failover reload-standbyWhen the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.active#no failover activeNote: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.Reload the former active unit (now the new standby unit) by entering the reload command:newstandby#reloadWhen the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:newstandby#failover activeThis completes the process of upgrading an Active/Standby Failover pair.
View 10 Replies
View Related
Jun 28, 2011
Since the "zero-downtime upgrade" is not supported, I would like to validate the process I put together for upgrading a failover pair of asa5550 with the characteristics below. Specifically I am concerned with the role of the standby during the upgrade. This is my setup:
.- single context mode
.- active/standby
.- current firmware asa821-k8.bin / asdm-621.bin
.- role: firewall and VPN concentrator for segmented server farm network. Dynamic/static/exemption NAT heavily used.
My target is asa842-k8.bin / asdm-645.bin and I am doing a two step upgrade (8.2(1) -> 8.3(1) -> 8.4(2)) to avoid the "unidirectional" attribute and CSCtf89372 bug issues. This is a short version of what I have in mind:
.- Verify stability of failover pair and make adequate backups before beginning.
.- plug into the console of active, ssh into active and standby.
.- vpn/act(config)# no failover ( disable failover from active )
[Code]....
After reboot, point to 8.4(2) and reload again. Same concern regarding the standby unit.
I understand there might be configuration tweaks needed to the NAT configuration. After second reboot test connectivity and if successful, on active "failover", "write standby" and "failover reload-standby". Otherwise "downgrade" and back to the drawing board.
View 6 Replies
View Related
Aug 14, 2012
[code] I would like to the ASA5510 Base license upgrade to Security Plus license. But after the upgrade is still the license of the Base.I think I was wrong option selected in the process of upgrading, how should I do to be successful upgrade
View 2 Replies
View Related
Apr 12, 2011
I need to upgrade the active/standby failover pair of 5510 ASA's to have1 Gig DRAM each, and I am trying to plan out the upgrade process. I'm looking for a zero downtime upgrade process.
I know that the failover pair has to have the same amount of memory, so how do I perform a zero-downtime upgrade process?Can I power off the standby unit and upgrade it's memory first? Or will it cause a memory mismatch between the active and standby units when it is powered on?
View 2 Replies
View Related
Mar 26, 2013
Why isn't a GUI upgrade possible instead of CLI initiated upgrade?Is this (GUI) only for patch upgrades or is it a valid upgrade path to use the Cisco Prime's GUI (Administarion; Software Update) in order to upload update file. Check for updates gives no results though successful login to [URL].
View 3 Replies
View Related
Jan 25, 2012
I would like to discuss another method of a bulk controller upgrade and see what other engineers take on this upgrade path would be.Say I have an instance of 84404s with 50 APs each, In this case I have N+1 redundancy where I can follow the normal procedure.Normal Procedure.Move all APs to controllers 1-4Preload all APs with the new code versionUpgrade and reboot empty controllers 5-8 to new code versionMove all APs to 5-8 with new code versoinUpgrade empty 1-4Move all APs back home.Now take the same scenario only chage it to 80 APs per controller. I've now lost my N+1 and cannot do it quite as smoothly. As opposed to trying to follow the normal proceedure and have an extended window of "brown outs" How about doing it all at once.Black-out accelerated proceedure:Preload new code on all controllersPreload new image on all APs on all controllersReboot all 8 controllers at the same time.Allow time for APs to connect back and load the new image.I assume with this proceedure that I might see around 15-30 minutes of actual downtime to the site but it seems like that could be preferable to two-three hours of brown outs.
View 6 Replies
View Related
Apr 23, 2013
I am looking few information on IOS up-gradation for the switch WS-C3750G-48TS-S . I loaded new Image on the flash and current flash and sh boot as below
Switch#sh flash
Directory of flash:/
2 -rwx 8859636 Mar 1 1993 00:08:14 +00:00 c3750-ipservicesk9-mz.122-37.SE.bin
3 -rwx 556 Mar 1 1993 00:02:38 +00:00 vlan.dat
4 drwx 64 Jan 9 2012 03:17:56 +00:00 crashinfo_ext
5 -rwx 5768 Apr 24 2013 04:25:28 +00:00 private-config.text
[code]...
1) I would like to set boot sytem parameter for the new IOS and secondary old IOS as well is below command works??? if IOS not coming up with new one 12.2.58 is it boots with old 12.2-35 ?
boot system flash:c3750-ipservicesk9-mz.122-58.SE2.bin;flash:c3750-ipbase-mz.122-35.SE5
2) If I set only boot system flash:c3750-ipservicesk9-mz.122-58 , if new image corrput swicth will check valid image and boot up with old image ?
3) If switch went to room1 switch mode and still I have valild running IOS c3750-ipservicesk9-mz.122-37.SE.bin at flash memory, how to restore with old image
View 2 Replies
View Related
Mar 3, 2013
I have two ASA 5520s in Active/Standby. I try and test this quartely to ensure it is working correctly. Everything works fine, except I have an issue with one interface. When doing a show failover, it shows the interface as failed on the secondary unit, and I am not sure why. It shows it as normal on the primary.
This host: Primary - Active
Active time: 9277305 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(4)) status (Up Sys)
Interface WaterworksCanopy (192.x.x.x): Normal
[code]....
View 15 Replies
View Related
May 21, 2013
I am in the process of upgrading a client's firewalls from 5520s to 5525-Xs. I have 2 independent firewalls that are merging into a single firewall. Both of the source ones have a TON of user accounts defined for remote user VPN, is there any way to move these user accounts with passwords in tact?? The goal is not to have to tell the 250+ users that they need to reset their passwords at once.
View 2 Replies
View Related
Jun 4, 2012
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1
Log into active/primary ASA
Configure Multiple Context mode
Reboot both devices
Login to active/primary ASA
[code]....
View 1 Replies
View Related
Oct 30, 2011
our company is going to change its´ ISP. The External Isp are going to obviously change too. We have an Active/Standby Firewall and we would like to make the change with at least connectivity downfall as possible. In our configuration we have nearly all features configured as in a normal Productive Firwall such as , NAT, Site-to Site VPN, Remote Access Webvpn, ACLs and also routing. I have looked up some information in this community and still I am not sure about the steps to be made so to reach our goal.
I have read that changing only the "names" from the old IP Range to the new Ip range would not really make the change. The old Ip range will still be configured in the features using the external Ip address. Therefore we have to first delete all the information (in the running config) connected to these Variables and then re insert them. My biggest worry is that this could be a little bit tricky during the implementation, if some config lines or objects could be left out during the deleting and inserting procedure.
How we could make this change with a low percentage of "copy and paste failures"? I was thinking about in changing the "names" to their new Ips and then afterwards reload the ASA. Will this workout? Primary ASA will be changed first with the secondary shutdown. ASA Firmware 8.2.2 (12).
View 4 Replies
View Related
Apr 27, 2011
My bussines have an old PIX 515e and im about to install it in a "testing" eviorment but no one can remeber the password for this old equipment. Is there a way to reset the password?
But when it reboots and I write "enable" in the console it asks for a password, and the password isn't "cisco" as factory default. I really need this firewall up and runing ASAP.
How to reset the "enable"-password?
View 3 Replies
View Related
Sep 7, 2011
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
View 1 Replies
View Related
Apr 10, 2012
i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.
View 5 Replies
View Related
Jul 17, 2012
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
View 6 Replies
View Related
Mar 11, 2012
We have a pair of N7K distribution switches connected to a pair of N7K Aggregation switches.We run vPC on both pairs of n7k's.
-n7k-d1 has two interfaces in a Port-Channel connecting to n7k-a1 & n7k-a2. (PC1)
-n7k-d2 also has two interfaces in a Port-Channel connecting to n7k-a1 & n7k-a2. (PC2)
My problem is that Spanning-Tree is blocking PC2 and all traffic from n7k-d2 is traversing the Peer-Link before reaching the Aggregation layer. Is this the best design for connecting two pairs of n7k's with vPC or if a better design would be to connect all 4 links into the same Port-Channel and vPC?
View 7 Replies
View Related
Oct 31, 2012
i am trying to setup a failover pair on Cisco asa 5520 - need a state full failover. Do i need two ports dedicated to obtain the above - one for LAN based failover and one for state full fail over ? also do i need a switch in between to connect them ?
View 11 Replies
View Related
Apr 15, 2013
I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
below is the license capture from both of the unit.
Running ASA:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code].....
View 3 Replies
View Related
Mar 20, 2012
We have recently got 2 of our Cisco ASA 5520 firewalls through RMA. These are supposed to run in a Active/Active Failover Pair. There was only 1 RMA request that was opened for both the firewalls. We have received only 1 Activation key for this RMA request for both the firewalls. Just want to check with you if this Activation key will work on both firewalls or do we need a get a seperate one for the other box.
View 1 Replies
View Related
Nov 11, 2012
I have a pair of ASA5510 currently running as a failover pair. For some reason we need to move one of the firewall to another site, is there any best practice on splitting up the failover pair then I can re-configure the secondary unit offline?
I'm thinking to power down the secondary unit, unplug it from the network totally then erase the configuration on the secondary unit on console so I can re-configure it. For the primary unit, I will disable the faiolver config by "no failover" on the primary unit. Is that necessarily all thing for splitting up the failover cluster?
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB(code)
View 2 Replies
View Related
Mar 3, 2011
I have one ASA 5520 up and runnign, with complete configuration (ssl customization, DAP, CSD...) with bunch of files on flash drive, etc. I am using software 8.3Now I received one 5520 that I want to use failover, it is with 8.3, I will make sure that ASDM is also the same on both...
So, my question is how to make my running ASA to become primary and to push all info (config, files on flash, etc) to new ASA?
I found few examples, but nothing tells me how to force one ASA to be the source for sync.
View 2 Replies
View Related
Aug 26, 2011
Is this this possible to set up two as a redundant pair as you can do with say a pair of 5510s?
View 3 Replies
View Related
Aug 8, 2011
A few weeks ago, I replaced a PIX 515E with a pair of ASA 5520's. We have a few basic web applications behind the ASA's. Nothing complex; just port 80/443 traffic. During the swap, we basically just copied the config from the PIX to the ASA. So the config is virtually identical.
Since the swap, we have one small set of users who gets timed out when trying to get to the application. This small set of users are scattered across the state of Alaska, and they are all accessing the Internet via a satellite connection. All other users across North America can access the application just fine.
Since the satellite connections are relatively slow, but they worked fine when going through the PIX, I suspect the issue is a difference in the default TTL (or similar parameter) between the PIX and the ASA.
View 5 Replies
View Related
Feb 6, 2012
I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
View 3 Replies
View Related
Apr 13, 2011
I currently have two 5540's in an Active/Standby pair. The primary unit failed on February 12th, so the secondary ASA is now the active one. My question is this - we have made a lot of changes since February 12th and I am planning on fixing this failover issue over the weekend. Will the secondary (now active) FW sync it's config to the non-active FW, or will the failed FW sync it's out-of-date config - removing any changes that we've made in the last month or so.
View 1 Replies
View Related
Jun 11, 2009
we are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.With our configuration here it is not.Is that possible in general?
View 6 Replies
View Related
Dec 28, 2011
I've got a router on which I run a backup/media/print server, a couple of computers and a voip box. My router has only four ethernet lan sockets which are thus all occupied by the above, but I need to attach at least one further device b
Secondly, could a splitter such as >> this one << do the job? I'm guessing this basically split a single 4-pair ethernet connection into two 2-pair ethernet connections.
View 2 Replies
View Related
Jun 19, 2012
I have ASA-SM failover pair in two Catalyst 6500 switches. I send from switch to ASA-SM management VLAN 1234 to admin context for management purposes. I have another 3 contexts on ASA-SM. Can I have same managemenet VLAN1234 on each ASA-SM context? Can it work?
View 1 Replies
View Related
Apr 24, 2012
I have two ASA 5505's with Security Plus licenses on both.I am trying to force them to becoming an HA pair using active/standby.When I enable failover I get this message:
Mate's license (Licensed Cores ) is not compatible with my license (Licensed Cores ). Failover will be disabled.Do I need to apply new licenses to the ASA's?
Device licence details (same on both):Cisco Adaptive Security Appliance Software Version 8.2(1) [code] This platform has an ASA 5505 Security Plus license.
View 1 Replies
View Related
