How upgrade ASA failover pair with zero downtime

Scenario

You need to upgrade software on ASA pair with no downtime.

1. Load the image on both units’ disk0: using ASDM and verify the MD5 key.
2. Change the boot variable

conf t
boot system disk0:/asa917-19-k8.bin

1 2	conf t boot system disk0:/asa917-19-k8.bin

3. Save the config with that change. This will be saved on both units.
4. From the active unit issue:

failover reload-standby

1	failover reload-standby

5. Wait for successful reload and verify configuration is synced OK. Expect a message that mate software version is different.

6. From the active unit issue:

no failover active

1	no failover active

7. Log into newly active unit and issue:

failover reload-standby

1	failover reload-standby

8. Wait for successful reload and verify configuration is synced OK. Both units are now on asa917-19-k8.bin.

ASA pair upgrade completed without downtime.

Refererence:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111867-asa-failover-upgrade.html