Updating Cisco ASA HA Cluster

Last week I updated a Cisco ASA HA cluster within a work project. The customer runs about 200 EasyVPN and IPsec VPN Site2Site connections. Our goal was to update the Cisco ASA HA cluster without an interrupt. The installed firmware version was 8.6(1)2 and we wanted to go straight to 9.4(2)11. In this case I was using two notebooks and connect them directly to the console port. After copying the file from TFTP to flash, we saw the message “No Cfg structure found in downloaded image file”. So the version 8.6 couldn’t handle the new file format of the 9.4 image. We need to insert a stopover and installed the version 9.1.3, later 9.4.2. Here is a spreadsheet for your upgrade process:

 

Current ASA Image First Upgrade Final Upgrade
8.2.x 8.4.6 8.4.7 or later, 9.1.3 or later
8.3.x 8.4.6 8.4.7 or later, 9.1.3 or later
8.4.1 through 8.4.4.10 8.4.6, 9.0.2 8.4.7 or later, 9.1.3 or later
8.5.x 9.0.2 9.1.3 or later
8.6.1 9.0.2 9.1.3 or later
9.0.1 9.0.2 9.1.3 or later
9.0.1.1 and later
(to include 9.0.2 and later)
Not Applicable 9.1.3 or later
9.1.1 9.1.2 9.1.3 or later
9.1.1.1 and later Not Applicable 9.1.3 or later

The following spreadsheet shows the update-steps for a Cisco ASA HA cluster. If you need to insert a stopover, repeat the steps 3-10:

Step Cisco ASA primary Cisco ASA secondary
1 Save the configuration (write memory) and document your configuration (pager lines 0; show run)
2 Viewing the boot variables (show bootvar)
3 Copy the firmware image and ASDM image from TFTP to Flash (copy tftp flash)
4 Setting the primary device to standby (no failover active)
5  Setting the boot firmware and ASDM image (delete the old “boot system xxx” entry and configure the new image to boot)
6  reload
7 Check HA-cluster status (show failover state)
8  Setting the primary device as active again (failover active)
9 Step 2-6
10  Save the configuration (write memory)
11  Restart the secondary device (failover reload-standby)
12  Check HA-cluster status (show failover state)
13 Save the configuration (write memory) and document your configuration (pager lines 0; show run)
14  Compare both configurations (the one before updating the cluster and the current configuration with the new firmware; you can use Notepad++ for this)

 

There are some different failover states.

One host is down or rebooting:

This host – Primary Activ
Other host – Secondary Failed

While syncing:

This host – Primary Activ
Other host – Bulk Sync

Cluster running in good state:

This host – Primary Activ
Other host – Secondary Standby Ready

After updating the Cisco ASA cluster (with the unexpected stepover) all VPN tunnels are working fine, no one had a disconnect 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.