Cisco Firewall :: Zero-downtime DRAM Upgrade Of Failover Pair Of 5510 ASAs
Apr 12, 2011
I need to upgrade the active/standby failover pair of 5510 ASA's to have1 Gig DRAM each, and I am trying to plan out the upgrade process. I'm looking for a zero downtime upgrade process.
I know that the failover pair has to have the same amount of memory, so how do I perform a zero-downtime upgrade process?Can I power off the standby unit and upgrade it's memory first? Or will it cause a memory mismatch between the active and standby units when it is powered on?
View 2 Replies
ADVERTISEMENT
Jun 28, 2011
Since the "zero-downtime upgrade" is not supported, I would like to validate the process I put together for upgrading a failover pair of asa5550 with the characteristics below. Specifically I am concerned with the role of the standby during the upgrade. This is my setup:
.- single context mode
.- active/standby
.- current firmware asa821-k8.bin / asdm-621.bin
.- role: firewall and VPN concentrator for segmented server farm network. Dynamic/static/exemption NAT heavily used.
My target is asa842-k8.bin / asdm-645.bin and I am doing a two step upgrade (8.2(1) -> 8.3(1) -> 8.4(2)) to avoid the "unidirectional" attribute and CSCtf89372 bug issues. This is a short version of what I have in mind:
.- Verify stability of failover pair and make adequate backups before beginning.
.- plug into the console of active, ssh into active and standby.
.- vpn/act(config)# no failover ( disable failover from active )
[Code]....
After reboot, point to 8.4(2) and reload again. Same concern regarding the standby unit.
I understand there might be configuration tweaks needed to the NAT configuration. After second reboot test connectivity and if successful, on active "failover", "write standby" and "failover reload-standby". Otherwise "downgrade" and back to the drawing board.
View 6 Replies
View Related
Dec 6, 2012
Preparing to upgrade the IOS on a failover pair of ASA 5580's and was wandering what is gonna happen after I've upgraded the IOS on the standby unit and rebooted. How is the active unit going to react when it sees an IOS mismatch prior to me making the standby the primary and upgrading it's IOS ?
View 2 Replies
View Related
Jun 11, 2009
we are running two failover pairs of asa (5510, 5505) in two different locations in active/standby configurations.Is it possible to access the inside ip of the standby unit via vpn terminated by the active unit? It's only for monitoring.With our configuration here it is not.Is that possible in general?
View 6 Replies
View Related
Feb 17, 2013
I'm looking for automating a couple failover scenarios. Both VPN redundancy and black hole internet traffic redundancy.I currently use the more reliable T1 connection for the VPN connection and the DSL for internet traffic.My current configuration is working but requires a manual update to get the VPN or black hole back up and operational when either link fails.
[code]....
View 7 Replies
View Related
Jun 5, 2011
We are planning to upgrade IOS on a 5520 pair, from 7.2.4 to 8.2.4, and cause minimum outage. And according to the documentation, we can do the zero downtime IOS upgrade by failing over to the standby ASA and back.
[URL]
So, can during this process, can we go from 7.2.5 to 8.0.5 (last maintenance release), or do we have to move to 8.0.2 first ?
View 2 Replies
View Related
Mar 11, 2012
We are currently on 8.0(4) and planning on upgrading our failover pair to 8.4.2, I read some documents saying that we can perform a zero downtime upgrade.
According the below documents Version 8.2 supports mismatch memory failover, [URL]
Upgrade Path:
Active Firewall: Standby Firewall:
8.0(4) 8.0(4)-->8.2.2
8.0(4) Upgrade RAM-2G---Reload
faiover to standby 8.2.2
8.0(4)--->8.2.2 8.2.2
[code]...
Can I perform zero downtime upgrade with the above upgrade path? Will both the firewalls act as a failover pair if one is on 8.2.2 and other is on 8.4.2.
"Performing Zero Downtime Upgrades for Failover Pairs
The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support." [URL]
View 4 Replies
View Related
Oct 31, 2012
i am trying to setup a failover pair on Cisco asa 5520 - need a state full failover. Do i need two ports dedicated to obtain the above - one for LAN based failover and one for state full fail over ? also do i need a switch in between to connect them ?
View 11 Replies
View Related
Apr 15, 2013
I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
below is the license capture from both of the unit.
Running ASA:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code].....
View 3 Replies
View Related
Mar 20, 2012
We have recently got 2 of our Cisco ASA 5520 firewalls through RMA. These are supposed to run in a Active/Active Failover Pair. There was only 1 RMA request that was opened for both the firewalls. We have received only 1 Activation key for this RMA request for both the firewalls. Just want to check with you if this Activation key will work on both firewalls or do we need a get a seperate one for the other box.
View 1 Replies
View Related
Nov 11, 2012
I have a pair of ASA5510 currently running as a failover pair. For some reason we need to move one of the firewall to another site, is there any best practice on splitting up the failover pair then I can re-configure the secondary unit offline?
I'm thinking to power down the secondary unit, unplug it from the network totally then erase the configuration on the secondary unit on console so I can re-configure it. For the primary unit, I will disable the faiolver config by "no failover" on the primary unit. Is that necessarily all thing for splitting up the failover cluster?
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB(code)
View 2 Replies
View Related
Mar 3, 2011
I have one ASA 5520 up and runnign, with complete configuration (ssl customization, DAP, CSD...) with bunch of files on flash drive, etc. I am using software 8.3Now I received one 5520 that I want to use failover, it is with 8.3, I will make sure that ASDM is also the same on both...
So, my question is how to make my running ASA to become primary and to push all info (config, files on flash, etc) to new ASA?
I found few examples, but nothing tells me how to force one ASA to be the source for sync.
View 2 Replies
View Related
Apr 13, 2011
I currently have two 5540's in an Active/Standby pair. The primary unit failed on February 12th, so the secondary ASA is now the active one. My question is this - we have made a lot of changes since February 12th and I am planning on fixing this failover issue over the weekend. Will the secondary (now active) FW sync it's config to the non-active FW, or will the failed FW sync it's out-of-date config - removing any changes that we've made in the last month or so.
View 1 Replies
View Related
Aug 19, 2012
I want to implement Active/Standby cluster with a pair of 5550 ASAs and I have a licensing question. Here is the "sh activation-key detail" output from both devices...
ASA1:
sh activation-key detail:
Serial Number: XXXXX
No active temporary key.
Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX
[code]....
This platform has an ASA 5550 VPN Premium license.The flash activation key is the SAME as the running key.So it looks obvious that I'll have to upgrade the first ASA to support 25 SSL VPN Peers in order to build HA cluster, right?Now I want to know do I need the "ASA5505-SSL25-K9" license or something else.
View 12 Replies
View Related
Jun 19, 2012
I have ASA-SM failover pair in two Catalyst 6500 switches. I send from switch to ASA-SM management VLAN 1234 to admin context for management purposes. I have another 3 contexts on ASA-SM. Can I have same managemenet VLAN1234 on each ASA-SM context? Can it work?
View 1 Replies
View Related
May 19, 2012
We have a site with two inbound circuits, one for internet and one for our MPLS. Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall. For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts. OSPF is the routing protocol between all the routers and ASA's and routing is working. In fact, ICMP is working as well. From an inside host (172.16.0.81), we can ping anything on the MPLS network. But when I try to use telnet (for example), the connection fails. If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
Both ASAs are running 8.4(3), and have the following commands:
same-security-traffic permit intra-interface
interface Ethernet0/0
nameif outside
[Code]....
And from the MPLS nodes, I can see a tcp request is made.
View 6 Replies
View Related
Mar 6, 2013
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver?
View 8 Replies
View Related
Dec 4, 2012
I am having a hard time getting tunnel fail over working. My setup is illustrated below:
I derive my default route on the border routers. The 6513 peers with the 7206's using BGP to get the default route from each ISP into the core. On the core I use BGP weighting to get my primary default to point to ISP1. So far so good. When I look at my core I see to defaults with ISP1 preferred.
Each ASA has an IP Sec tunnel to the head end site configured (Not shown). The head end site has a crypto map entry with ISP1 and ISP2 defined (in that order) using the "set peer" command.
Fail over works great if an ISP drops the connection or my 7206 or ASA fails, but... While testing fail over I had an issue where both tunnels would be active and there were issues with traffic between sites. I could not determine the root cause. I can only guess that some traffic was going out one tunnel and when trying to come back across the other tunnel was dropped from the firewall because there was no connection built for it. After reading I found that in order to use multiple peers in the "set peer" statement, I needed to configure my head end as "originate-only". I have not done this yet as I have concerns. If the head end site is "originate-only" and the tunnel, for whatever reason drops, I cannot wait for interesting traffic at the head end site bound for this site to bring up the tunnel as most of the traffic originates at this site.
I have been reading about IKE keep alives and DPD but that doesn't sound like it will re-initiate the tunnel. Is this correct? If so I'm looking for a way to make this work.
View 10 Replies
View Related
Aug 17, 2011
I am a bit unclear as to the upgrade path I should take - I have 2 ASA 5510s in active/standby running 8.0(4)34 and would like to upgrade to 8.2.5. Do I need to first upgrade to 8.0.(5) before upgrading to 8.2.5, or can I just jump straight to 8.2.5?
View 4 Replies
View Related
Jan 6, 2012
I'll be upgrading an HA pair of ASA 5520s next week, and wanted to clarify the procedure. I read "Upgrading an Active/Standby Failover Configuration" at [URL] which suggests placing the image on both units, updating boot statements, then issuing failover reload-standby. But I was wondering if there's a way to a way to be a bit safer. I'd like to modify the standby unit, without affecting the config on the active. So I'd like to modify the boot statement on the standby without modifying the active config. That way incase there's a problem and the active reboots, it won't upgrade.
Can I modify the config on the standby without affecting the active? Then I'd like to test the newly upgraded unit with our production traffic. Would that simply be no failover active, and then once the standby becomes active -- test traffic? Once everything is okay, I would upgrade the second unit, and fail traffic back.
View 3 Replies
View Related
Jan 17, 2012
Can I upgrade Active/standby pair from 7.2(4) to 8.0(5)25 directly or need to upgrade to 8.0.2/4 first? Upgrade an Active/Standby Failover ConfigurationComplete these steps in order to upgrade two units in an Active/Standby failover configuration:Download the new software to both units, and specify the new image to load with the boot system command.Refer to Upgrade a Software Image and ASDM Image using CLI for more information.Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:active#failover reload-standbyWhen the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.active#no failover activeNote: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.Reload the former active unit (now the new standby unit) by entering the reload command:newstandby#reloadWhen the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:newstandby#failover activeThis completes the process of upgrading an Active/Standby Failover pair.
View 10 Replies
View Related
Aug 14, 2012
[code] I would like to the ASA5510 Base license upgrade to Security Plus license. But after the upgrade is still the license of the Base.I think I was wrong option selected in the process of upgrading, how should I do to be successful upgrade
View 2 Replies
View Related
Jun 10, 2011
Zero downtime 3750 stack upgrade?
View 1 Replies
View Related
Feb 3, 2009
Zero downtime 3750 stack upgrade
View 3 Replies
View Related
Sep 30, 2009
Is it possible to upgrade a c3750-stack one member at a time to avoid downtime? I need to keep L3-functionality up.
If I have one etherchannel from access-switch (2 channel-ports in 3750, in different stack-members), my 3750-stack as a distribution layer switch, and another etherchannel (also spread over multiple stack members) to core, can I upgrade the entire stack without traffic interruption?
View 5 Replies
View Related
Sep 6, 2011
When we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover. 8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
Here's a show failover on the primary:
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160
[Code].....
View 3 Replies
View Related
Dec 12, 2012
I want to upgrade my DRAM of 256MB to 512MB to support 15.1 IOS image.Can I buy Cisco approved DRAM from third party Like [URL]
View 1 Replies
View Related
Sep 16, 2010
I need to add memory to my ASA 55xx's (running 8.2(2)), some of which are config'd active/active or active/standby. The docs say that ram must be identical, which makes sense for production. My question is this: can I upgrade the standby units first, make them active, and then upgrade their mate? Or must I schedule downtime to take the pair down for the upgrade?
View 4 Replies
View Related
May 31, 2011
Configured ASA 5510 ISP failover and working fine.My ASA as configured as DHCP server also. So its serves IP addressing details including mask,default-gateway, DNS server IPs.Here my issue is whenever my ISP failover occurs my ASA sends previous ISP DNS server IPs to my inside clients.
Here i like to configure my ASA to serve IP addresses dynamically.Or is there any global DNS IP addresses which will work for all ISPs?
View 1 Replies
View Related
Nov 28, 2011
Can I run Cisco ASA failover with dual ISP run active/standby configuration and SLA monitor to monitor the primary ISP gateway and failover to the secondary gateway but not failover to the failover firewall unless an actual event occurred that required a ASA failover?
View 3 Replies
View Related
Oct 16, 2012
I have two ASA 5510's that I want to setup in a Active/Standby configuration. My only question is on how to connect the inside ports to my LAN. I have 5 Catalyst 3750's stacked together that connect to the ASA's. Should I run the inside interface on ASA1 to a port on switch 1. Then run the inside interface on ASA2 to a port on switch2? And make sure both those ports are in the same VLAN? But, then when failover occured, how to I automatically make it clear the arp cache so the traffic starts flowing out of the right port?
View 1 Replies
View Related
Nov 25, 2012
I have a customer with two ASA 5510s. All four ports are used by the following interfaces: inside, outside, dmz, and failover. This customer is looking at getting redundant internet connections, but we don't have any ports to the redundant connection. What I'd like to know is it possible to configure sub interfaces on one of the currently occupied ports (I'm thinking inside) and use one for inside and one for failover. This way I could have the other port free for the redundant internet connection.
View 1 Replies
View Related
Sep 27, 2012
Cisco still doesn't provide failover (active/standby) between two different types of ASA, right?
[URL]
"The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM"
View 1 Replies
View Related