Upgrade an Active/Active Failover Pair Using the CLI
To upgrade two units in an Active/Active failover configuration, perform the following steps on the Firepower 1000 or 2100 in Appliance mode.
Before you begin
Perform these steps on the primary unit.
Perform these steps in the system execution space.
Procedure
Step 1
On the primary unit in privileged EXEC mode, copy the ASA software to flash memory:
asa/act/pri# copy ftp://username:password@ip-address/cisco-asa-fp1k.9.14.1.SPA disk0:/cisco-asa-fp1k.9.14.1.SPA
Step 2
Copy the software to the secondary unit; be sure to specify the same path as for the primary unit:
asa/act/pri# failover exec mate copy /noconfirm ftp://username:password@ip-address/cisco-asa-fp1k.9.14.1.SPA disk0:/cisco-asa-fp1k.9.14.1.SPA
Step 3
Copy the ASDM image to the primary unit flash memory:
asa/act/pri# ciscoasa# copy ftp://username:password@ip-address/asdm-7141.bin disk0:/asdm-7141.bin
Step 4
Copy the ASDM image to the secondary unit; be sure to specify the same path as for the primary unit:
asa/act/pri# failover exec mate copy /noconfirm ftp://username:password@ip-address/asdm-7141.bin disk0:/asdm-7141.bin
Step 5
If you are not already in global configuration mode, access global configuration mode:
configure terminal
Step 6
Show the current boot image configured, if present.
show running-config boot system
Note that you may not have a boot system command present in your configuration; for example, if you installed the image from ROMMON, have a new device, or you removed the command manually.
Example:
ciscoasa(config)# show running-config boot system
boot system disk0:/cisco-asa-fp1k.9.13.1.SPA
Step 7
If you have a boot system command configured, remove it so that you can enter the new boot image.
If you did not have a boot system command configured, skip this step.
ciscoasa(config)# no boot system disk0:/cisco-asa-fp1k.9.13.1.SPA
Step 8
Set the ASA image to boot (the one you just uploaded).
You can only enter a single boot system command. The boot system command performs an action when you enter it: the system validates and unpacks the image and copies it to the boot location (an internal location on disk0 managed by FXOS). The new image will load when you reload the ASA. If you change your mind prior to reloading, you can enter the no boot system command to delete the new image from the boot location, so the current image continues to run.
ciscoasa(config)# boot system disk0:/cisco-asa-fp1k.9.14.1.SPA
The system is currently installed with security software package 9.13.1, which has:
- The platform version: 2.7.1
- The CSP (asa) version: 9.13.1
Preparing new image for install...
!!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Installation of version 9.14.1 will do the following:
- upgrade to the new platform version 2.8.1
- upgrade to the CSP ASA version 9.14.1
After the installation is complete, reload to apply the new image.
Finalizing image install process...
Install_status: ready...........
Install_status: validating-images.....
Install_status: update-software-pack-completed
ciscoasa(config)#
Step 9
Set the ASDM image to use (the one you just uploaded).
asa/act/pri(config)# asdm image disk0:/asdm-7141.bin
You can only configure one ASDM image to use; in this case you do not need to first remove the existing configuration.
Step 10
Save the new settings to the startup configuration.
write memory
These configuration changes are automatically saved on the secondary unit.
Step 11
Make both failover groups active on the primary unit.
asa/act/pri(config)# failover active group 1
asa/act/pri(config)# failover active group 2
Step 12
Reload the secondary unit to boot the new image:
failover reload-standby
Wait for the secondary unit to finish loading. Use the show failover command to verify that both failover groups are in the Standby Ready state.
Step 13
Force both failover groups to become active on the secondary unit:
asa/act/pri(config)# no failover active group 1
asa/act/pri(config)# no failover active group 2
asa/stby/pri(config)#
If you are disconnected from your SSH session, reconnect to the failover group 1 IP address, now on the secondary unit.
Step 14
Reload the primary unit:
asa/act/sec# failover reload-standby
Note
If you are connected to the primary unit console port, you should instead enter the reload command to reload the primary unit.
You may be disconnected from your SSH session.
Step 15
If the failover groups are configured with the preempt command, they automatically become active on their designated unit after the preempt delay has pass
https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance-asav.html#concept_lhx_vvn_kkb
Comments
Post a Comment