How upgrade ASA failover pair with zero downtime

Scenario

You need to upgrade software on ASA pair with no downtime.

Solution

1. Load the image on both units’ disk0: using ASDM and verify the MD5 key.
2. Change the boot variable

3. Save the config with that change. This will be saved on both units.
4. From the active unit issue:

5. Wait for successful reload and verify configuration is synced OK. Expect a message that mate software version is different.

6. From the active unit issue:

7. Log into newly active unit and issue:

8. Wait for successful reload and verify configuration is synced OK. Both units are now on asa917-19-k8.bin.

 

Result

ASA pair upgrade completed without downtime.

 

Refererence:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111867-asa-failover-upgrade.html

Leave a Reply

Your email address will not be published. Required fields are marked *