Cisco ASA is still popular for many networks around the world. It’s well-known because of its strong firewall ability which includes L3/4 firewall filter, Intrusion Prevention, Antivirus, as well as VPN capability. For network and security redundancy, you may want to have more than one box of Cisco ASA and configure them as failover so that you can prevent network failure or outage when one box is down. On top of this, security holes may existing in the software part from time to time depending on ASA software you are running. As an example, on October 8, 2014, Cisco was critically announced about multiple vulnerabilities in Advisory ID cisco-sa-20141008-asa in Cisco ASA software which included Denial of Services of VPN, SQL*NET, IKEv2, DNS Inspection, SunRPC, etc. In this case, you are strongly recommended to upgrade your Cisco ASA software to later release which those problems have been fixed. Well, how can you do the upgrade without any interruption to your production network? Follow below instruction for the answer.
Upgrade Type
In this article, we provide you the step of ZERO downtime to upgrade your Cisco ASA software. Thus, there are three type of upgrading depending on release type of Cisco ASA software.
Maintenance Release Upgrade
You can upgrade directly from one maintenance release to another maintenance release within the same Minor release.
Minor Release Upgrade
In order to perform zero downtime upgrade, you have to upgrade from one minor release to the next minor release. Skipping a minor release is not support for zero-downtime. Example, you are running 7.0(1), you have to upgrade to 7.1(x) first before upgrading to 7.2(x).
Major Release upgrade
For Major release, you can only upgrade from last minor release of the previous version. For example, assuming 7.5 is the last minor release in 7.x version, then you can upgrade from 7.5 to 8.0.
Get Proper Software Version
This is necessary to get a proper software version for your Cisco ASA boxes. Without it, how can you do the upgrade, right? You can, of course, download the software from Cisco website if you have a valid contract. But what if you do not have?? Well, this is easy. You can send an email to [email protected] to request for a free upgrade. Dont worry, I also did this way to ask for software download before I compose this article.
Okay, now let move to the main part of the article. 🙂
Upgrading Cisco ASA Software
Verify Storage Space
First thing first, you have to check and verify the availability of storage space on your Cisco ASA so that you can upload the new software without any problem. We will also give away bonus to iNET9s’ readers about upgrading ASDM when we are at it in this article. Excited? 😀
CiscoASA# show flash: | include free 255426560 bytes total (89412176 bytes free) CiscoASA#
As you can see from above output, I have about 89MB available. If you do not have enough space, remove some junks.
Transfer Software to Cisco ASA
Now let have a look below output from Cisco ASA for their current version of software and ASDM.
CiscoASA# show version | include image System image file is “disk0:/asa821-k8.bin” CiscoASA# show asdm image Device Manager image file, disk0:/asdm-524.bin CiscoASA#
Here is the information of my new software and ASDM along with IP of FTP server. You can use any method you want to transfer your software to Cisco ASA. In my case, I will use FTP.
- FTP Server: 172.16.77.1
- ASA Software: asa825-52-k8.bin
- ASDM: asdm-733.bin
Let’s transfer ASA software first.
CiscoASA# copy ftp://seyma:[email protected]/asa825-52-k8.bin flash: Address or name of remote host [172.16.77.1]? Source username [seyma]? Source password [password]? Source filename [asa825-52-k8.bin]? Destination filename [asa825-52-k8.bin]? Accessing ftp://seyma:[email protected]/asa825-52-k8.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/asa825-52-k8.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 15464448 bytes copied in 21.750 secs (736402 bytes/sec) CiscoASA#
Now transfer the ASDM.
CiscoASA# copy ftp://seyma:[email protected]/asdm-733.bin flash: Address or name of remote host [172.16.77.1]? Source username [seyma]? Source password [password]? Source filename [asdm-733.bin]? Destination filename [asdm-733.bin]? Accessing ftp://seyma:[email protected]/asdm-733.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/asdm-733.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27289072 bytes copied in 41.60 secs (665587 bytes/sec) CiscoASA#
- Configure Cisco ASA to run new software
After you have successfully transferred both software and ASDM to your Cisco ASA, tell them which file to run.
CiscoASA# configure terminal CiscoASA(config)# boot system flash:/asa825-52-k8.bin INFO: Converting flash:/asa825-52-k8.bin to disk0:/asa825-52-k8.bin CiscoASA(config)# asdm image flash:/asdm-7333.bin CiscoASA(config)# exit CiscoASA# copy running-config startup-config Source filename [running-config]? Cryptochecksum: 1661a7ce 88cbc54b a6d80f14 89fdc7ac 2735 bytes copied in 3.490 secs (911 bytes/sec) CiscoASA#
Sweet! You have told your Cisco ASA to run new software now but it does not take affect yet until you reboot it.
- Doing the Upgrade
So to avoid network interruption, issue below command on Active ASA to reload the Standby box.
CiscoASA# failover reload-standby
Wait few minutes for Standby box to reboot. When it comes back with the status “Standby ready”, please force the current Active state to the Standby by using below command.
CiscoASA# no failover active
You can use “show failover” to verify active/standby state. After the Standby holds the Active state, you can reboot the previous Active box with following command.
CiscoASA# reload
When it comes back, you can move back the Active state by using:
CiscoASA# failover active
Again, use “show failover” to verify Active/Standby state for ASA boxes.
That’s it!! You have now successfully upgraded Cisco ASA without any downtimes.
Cool? Drop us a comment or feedback.
This is really interesting, You’re a very skilled blogger. I have joined your feed and look forward to seeking more of your great post. Also, I’ve shared your site in my social networks!
Thanks for finally talking about >Zero Downtime Upgrades on Cisco ASA Failover Pairs
– iNET9 <Loved it!
I’ve been browsing online greater than three hours as of late, but I by no means discovered any fascinating article like
yours. It’s pretty price enough for me. In my view, if
all webmasters and bloggers made good content material as you did, the net can be a lot more useful than ever before.
This design is incredible! You most certainly know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Wonderful job. I really loved what you had to say, and more than that, how you presented it. Too cool!