Upgrade the ASA
Upgrade the Firepower 1000/2100 and Secure Firewall 3100/4200
- Upgrade the Firepower 1000, 2100 in Appliance Mode, and Secure Firewall 3100/4200
- Upgrade the Firepower 2100 in Platform Mode
Upgrade the Firepower 4100/9300
Upgrade the ASA 5500-X, ASA Virtual, ASASM, or ISA 3000

Upgrade the ASA

Upgrade the ASA according to the procedures in this document.

Upgrade the Firepower 1000/2100 and Secure Firewall 3100/4200

This document describes how to plan and implement an ASA, FXOS, and ASDM upgrade for standalone, failover, or clustering deployments on the Firepower 1000/2100 and Secure Firewall 3100/4200.

For the Firepower 2100 in 9.12 and earlier, only Platform mode is available. In 9.13 and later, Appliance mode is the default. Check the mode by using the show fxos mode command at the ASA CLI.

Upgrade the Firepower 1000, 2100 in Appliance Mode, and Secure Firewall 3100/4200

This document describes how to plan and implement an ASA, FXOS, and ASDM upgrade for standalone or failover deployments for the Firepower 1000, 2100 in Appliance mode, and Secure Firewall 3100/4200. Prior to version 9.13, the Firepower 2100 only supported Platform mode. In 9.14 and later, Appliance mode is the default. In 9.14 and later, use the show fxos mode command on the ASA to determine your current mode. For Platform mode procedures, see Upgrade the Firepower 2100 in Platform Mode.

Upgrade a Standalone Unit

Use the CLI or ASDM to upgrade the standalone unit.

Upgrade a Standalone Unit Using the CLI

This section describes how to install the ASDM and ASA images on the Firepower 1000, Firepower 2100 in Appliance mode, Secure Firewall 3100/4200.

Before you begin

This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command reference.

Procedure

Step 1	In global configuration mode, if you previously set a non-default ASDM image, then reset it to the image that came with your image bundle. asdm image disk0:/asdm.bin write memory The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image.
Step 2	In privileged EXEC mode (minimum), copy the ASA software to flash memory. copy ftp://[[`user`[:`password`]@]`server`[/`path`]/`asa_image_name` disk`n`:/[`path`/]`asa_image_name` Example: `ciscoasa# copy ftp://jcrichton:aeryn@10.1.1.1/cisco-asa-fp1k.9.14.1.SPA disk0:/cisco-asa-fp1k.9.14.1.SPA`
Step 3	Access global configuration mode. configure terminal Example: `ciscoasa# configure terminal ciscoasa(config)#`
Step 4	Show the current boot image configured, if present. show running-config boot system Note that you may not have a boot system command present in your configuration; for example, if you installed the image from ROMMON, have a new device, or you removed the command manually. Example: `ciscoasa(config)# show running-config boot system boot system disk0:/cisco-asa-fp1k.9.13.1.SPA`
Step 5	If you have a boot system command configured, remove it so that you can enter the new boot image. no boot system disk`n`:/[`path`/]`asa_image_name` If you did not have a boot system command configured, skip this step. Example: `ciscoasa(config)# no boot system disk0:/cisco-asa-fp1k.9.13.1.SPA`
Step 6	Set the ASA image to boot (the one you just uploaded). boot system disk`n`:/[`path`/]`asa_image_name` You can only enter a single boot system command. The boot system command performs an action when you enter it: the system validates and unpacks the image and copies it to the boot location (an internal location on disk0 managed by FXOS). The new image will load when you reload the ASA. If you change your mind prior to reloading, you can enter the no boot system command to delete the new image from the boot location, so the current image continues to run. Example: ciscoasa(config)# boot system disk0:/cisco-asa-fp1k.9.14.1.SPA The system is currently installed with security software package 9.13.1, which has: - The platform version: 2.7.1 - The CSP (asa) version: 9.13.1 Preparing new image for install... !!!!!!!!!!!!! Image download complete (Successful unpack the image). Installation of version 9.14.1 will do the following: - upgrade to the new platform version 2.8.1 - upgrade to the CSP ASA version 9.14.1 After the installation is complete, reload to apply the new image. Finalizing image install process... Install_status: ready........... Install_status: validating-images..... Install_status: update-software-pack-completed ciscoasa(config)#
Step 7	Save the new settings to the startup configuration: write memory
Step 8	Reload the ASA: reload

Upgrade a Standalone Unit from Your Local Computer Using ASDM

The Upgrade Software from Local Computer tool lets you upload an image file from your computer to the flash file system to upgrade the ASA for the Firepower 1000, Firepower 2100 in Appliance mode, Secure Firewall 3100/4200.

Procedure

Step 1	If you previously set a non-default ASDM image, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. In the main ASDM application window, choose Configuration > Device Management > System Image/Configuration > Boot Image/Configuration. For the ASDM Image File Path, enter disk0:/asdm.bin. Click Apply.
Step 2	In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
Step 3	From the Image to Upload drop-down list, choose ASA.
Step 4	In the Local File Path field, click Browse Local Files to find the file on your PC.
Step 5	In the Flash File System Path field, click Browse Flash to find the directory or file in the flash file system.
Step 6	Click Upload Image. The uploading process might take a few minutes.
Step 7	You are prompted to set this image as the ASA image. Click Yes.
Step 8	You are reminded to reload the ASA to use the new image. Click OK. You exit the Upgrade tool.
Step 9	Choose Tools > System Reload to reload the ASA. A new window appears that asks you to verify the details of the reload. Click the Save the running configuration at the time of reload radio button (the default). Choose a time to reload (for example, Now, the default). Click Schedule Reload. Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.
Step 10	After the ASA reloads, restart ASDM. You can check the reload status from a console port, or you can wait a few minutes and try to connect using ASDM until you are successful.

Upgrade a Standalone Unit Using the ASDM Cisco.com Wizard

The Upgrade Software from Cisco.com Wizard lets you automatically upgrade the ASDM and ASA to more current versions for the Firepower 1000, Firepower 2100 in Appliance mode, Secure Firewall 3100.

In this wizard, you can do the following:

Choose an ASA image file and/or ASDM image file to upgrade.

Note

ASDM downloads the latest image version, which includes the build number. For example, if you are downloading 9.9(1), the download might be 9.9(1.2). This behavior is expected, so you can proceed with the planned upgrade.

Review the upgrade changes that you have made.
Download the image or images and install them.
Review the status of the installation.
If the installation completed successfully, reload the ASA to save the configuration and complete the upgrade.

Before you begin

Due to an internal change, the wizard is only supported using ASDM 7.10(1) and later; also, due to an image naming change, you must use ASDM 7.12(1) or later to upgrade to ASA 9.10(1) and later. Because ASDM is backwards compatible with earlier ASA releases, you can upgrade ASDM no matter which ASA version you are running.

Procedure

Step 1

Choose Tools > Check for ASA/ASDM Updates.

In multiple context mode, access this menu from the System.

The Cisco.com Authentication dialog box appears.

Step 2

Enter your Cisco.com username and password, and then click Login.

The Cisco.com Upgrade Wizard appears.

Note

If there is no upgrade available, a dialog box appears. Click OK to exit the wizard.

Step 3

Click Next to display the Select Software screen.

The current ASA version and ASDM version appear.

Step 4

To upgrade the ASA version and ASDM version, perform the following steps:

In the ASA area, check the Upgrade to check box, and then choose an ASA version to which you want to upgrade from the drop-down list.
In the ASDM area, check the Upgrade to check box, and then choose an ASDM version to which you want to upgrade from the drop-down list.

Step 5

Click Next to display the Review Changes screen.

Step 6

Verify the following items:

The ASA image file and/or ASDM image file that you have downloaded are the correct ones.
The ASA image file and/or ASDM image file that you want to upload are the correct ones.
The correct ASA boot image has been selected.

Step 7

Click Next to start the upgrade installation.

You can then view the status of the upgrade installation as it progresses.

The Results screen appears, which provides additional details, such as the upgrade installation status (success or failure).

Step 8

If the upgrade installation succeeded, for the upgrade versions to take effect, check the Save configuration and reload device now check box to restart the ASA, and restart ASDM.

Step 9

Click Finish to exit the wizard and save the configuration changes that you have made.

Note

To upgrade to the next higher version, if any, you must restart the wizard.

Step 10

After the ASA reloads, restart ASDM.

You can check the reload status from a console port, or you can wait a few minutes and try to connect using ASDM until you are successful.

Upgrade an Active/Standby Failover Pair

Use the CLI or ASDM to upgrade the Active/Standby failover pair for a zero downtime upgrade.

Upgrade an Active/Standby Failover Pair Using the CLI

To upgrade the Active/Standby failover pair for the Firepower 1000, Firepower 2100 in Appliance mode, Secure Firewall 3100/4200, perform the following steps.

Before you begin

Perform these steps on the active unit. For SSH access, connect to the active IP address; the active unit always owns this IP address. When you connect to the CLI, determine the failover status by looking at the ASA prompt; you can configure the ASA prompt to show the failover status and priority (primary or secondary), which is useful to determine which unit you are connected to. See the prompt command. Alternatively, enter the show failover command to view this unit's status and priority (primary or secondary).
This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command reference.

Procedure

Step 1

On the primary unit in global configuration mode, if you previously set a non-default ASDM image, then reset it to the image that came with your image bundle.

asdm image disk0:/asdm.bin

write memory

The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image.

Step 2

On the active unit in privileged EXEC mode (minimum), copy the ASA software to the active unit flash memory:

copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/act# copy ftp://jcrichton:aeryn@10.1.1.1/cisco-asa-fp1k.9.14.1.SPA disk0:/cisco-asa-fp1k.9.14.1.SPA

Step 3

Copy the software to the standby unit; be sure to specify the same path as for the active unit:

failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/act# failover exec mate copy /noconfirm ftp://jcrichton:aeryn@10.1.1.1/cisco-asa-fp1k.9.14.1.SPA disk0:/cisco-asa-fp1k.9.14.1.SPA

Step 4

If you are not already in global configuration mode, access global configuration mode:

configure terminal

Step 5

Show the current boot image configured, if present.

show running-config boot system

Note that you may not have a boot system command present in your configuration; for example, if you installed the image from ROMMON, have a new device, or you removed the command manually.

Example:


ciscoasa(config)# show running-config boot system
boot system disk0:/cisco-asa-fp1k.9.13.1.SPA

Step 6

If you have a boot system command configured, remove it so that you can enter the new boot image.

no boot system diskn:/[path/]asa_image_name

If you did not have a boot system command configured, skip this step.

Example:


ciscoasa(config)# no boot system disk0:/cisco-asa-fp1k.9.13.1.SPA

Step 7

Set the ASA image to boot (the one you just uploaded).

boot system diskn:/[path/]asa_image_name

You can only enter a single boot system command. The boot system command performs an action when you enter it: the system validates and unpacks the image and copies it to the boot location (an internal location on disk0 managed by FXOS). The new image will load when you reload the ASA. If you change your mind prior to reloading, you can enter the no boot system command to delete the new image from the boot location, so the current image continues to run.

Example:


ciscoasa(config)# boot system disk0:/cisco-asa-fp1k.9.14.1.SPA

The system is currently installed with security software package 9.13.1, which has:
   - The platform version:  2.7.1
   - The CSP (asa) version: 9.13.1
Preparing new image for install...
!!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Installation of version 9.14.1 will do the following:
   - upgrade to the new platform version 2.8.1
   - upgrade to the CSP ASA version 9.14.1
After the installation is complete, reload to apply the new image.
Finalizing image install process...
 
Install_status: ready...........
Install_status: validating-images.....
Install_status: update-software-pack-completed
ciscoasa(config)#

Step 8

Save the new settings to the startup configuration:

write memory

These configuration changes are automatically saved on the standby unit.

Step 9

Reload the standby unit to boot the new image:

failover reload-standby

Wait for the standby unit to finish loading. Use the show failover command to verify that the standby unit is in the Standby Ready state.

Step 10

Force the active unit to fail over to the standby unit.

no failover active

If you are disconnected from your SSH session, reconnect to the main IP address, now on the new active/former standby unit.

Step 11

From the new active unit, reload the former active unit (now the new standby unit).

failover reload-standby

Example:


asa/act# failover reload-standby

Note

If you are connected to the former active unit console port, you should instead enter the reload command to reload the former active unit.

Upgrade an Active/Standby Failover Pair Using ASDM

The Upgrade Software from Local Computer tool lets you upload an image file from your computer to the flash file system to upgrade the Active/Standby failover pair for the Firepower 1000, Firepower 2100 in Appliance mode, Secure Firewall 3100/4200.

Procedure

Step 1	Launch ASDM on the standby unit by connecting to the standby IP address.
Step 2	In the main ASDM application window, choose Tools > Upgrade Software from Local Computer. The Upgrade Software dialog box appears.
Step 3	From the Image to Upload drop-down list, choose ASA.
Step 4	In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.
Step 5	In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.
Step 6	Click Upload Image. The uploading process might take a few minutes. When you are prompted to set this image as the ASA image, click No. You exit the Upgrade tool.
Step 7	Connect ASDM to the active unit by connecting to the main IP address.
Step 8	If you previously set a non-default ASDM image, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. Choose Configuration > Device Management > System Image/Configuration > Boot Image/Configuration. For the ASDM Image File Path, enter disk0:/asdm.bin. Click Apply.
Step 9	Upload the ASA software, using the same file location you used on the standby unit.
Step 10	When you are prompted to set the image as the ASA image, click Yes. You are reminded to reload the ASA to use the new image. Click OK. You exit the Upgrade tool.
Step 11	Click the Save icon on the toolbar to save your configuration changes. These configuration changes are automatically saved on the standby unit.
Step 12	Reload the standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Reload Standby. Stay on the System pane to monitor when the standby unit reloads.
Step 13	After the standby unit reloads, force the active unit to fail over to the standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Make Standby. ASDM will automatically reconnect to the new active unit.
Step 14	Reload the (new) standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Reload Standby.

Upgrade an Active/Active Failover Pair

Use the CLI or ASDM to upgrade the Active/Active failover pair for a zero downtime upgrade.

Upgrade an Active/Active Failover Pair Using the CLI

To upgrade two units in an Active/Active failover configuration, perform the following steps on the Firepower 1000, Firepower 2100 in Appliance mode, Secure Firewall 3100/4200.

Before you begin

Perform these steps on the primary unit.
Perform these steps in the system execution space.
This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command reference.

Procedure

Step 1

On the primary unit in global configuration mode, if you previously set a non-default ASDM image, then reset it to the image that came with your image bundle.

asdm image disk0:/asdm.bin

write memory

Step 2

On the primary unit in privileged EXEC mode (minimum), copy the ASA software to flash memory:

copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Note

ASDM is included in the ASA image.

Example:


asa/act/pri# copy ftp://jcrichton:aeryn@10.1.1.1/cisco-asa-fp1k.9.14.1.SPA disk0:/cisco-asa-fp1k.9.14.1.SPA

Step 3

Copy the software to the secondary unit; be sure to specify the same path as for the primary unit:

failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/act/pri# failover exec mate copy /noconfirm ftp://jcrichton:aeryn@10.1.1.1/cisco-asa-fp1k.9.14.1.SPA disk0:/cisco-asa-fp1k.9.14.1.SPA

Step 4

If you are not already in global configuration mode, access global configuration mode:

configure terminal

Step 5

Show the current boot image configured, if present.

show running-config boot system

Note that you may not have a boot system command present in your configuration; for example, if you installed the image from ROMMON, have a new device, or you removed the command manually.

Example:


ciscoasa(config)# show running-config boot system
boot system disk0:/cisco-asa-fp1k.9.13.1.SPA

Step 6

If you have a boot system command configured, remove it so that you can enter the new boot image.

no boot system diskn:/[path/]asa_image_name

If you did not have a boot system command configured, skip this step.

Example:


ciscoasa(config)# no boot system disk0:/cisco-asa-fp1k.9.13.1.SPA

Step 7

Set the ASA image to boot (the one you just uploaded).

boot system diskn:/[path/]asa_image_name

Example:


ciscoasa(config)# boot system disk0:/cisco-asa-fp1k.9.14.1.SPA

The system is currently installed with security software package 9.13.1, which has:
   - The platform version:  2.7.1
   - The CSP (asa) version: 9.13.1
Preparing new image for install...
!!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Installation of version 9.14.1 will do the following:
   - upgrade to the new platform version 2.8.1
   - upgrade to the CSP ASA version 9.14.1
After the installation is complete, reload to apply the new image.
Finalizing image install process...
 
Install_status: ready...........
Install_status: validating-images.....
Install_status: update-software-pack-completed
ciscoasa(config)#

Step 8

Save the new settings to the startup configuration.

write memory

These configuration changes are automatically saved on the secondary unit.

Step 9

Make both failover groups active on the primary unit.

failover active group 1

failover active group 2

Example:


asa/act/pri(config)# failover active group 1
asa/act/pri(config)# failover active group 2

Step 10

Reload the secondary unit to boot the new image:

failover reload-standby

Wait for the secondary unit to finish loading. Use the show failover command to verify that both failover groups are in the Standby Ready state.

Step 11

Force both failover groups to become active on the secondary unit:

no failover active group 1

no failover active group 2

Example:


asa/act/pri(config)# no failover active group 1
asa/act/pri(config)# no failover active group 2
asa/stby/pri(config)#

If you are disconnected from your SSH session, reconnect to the failover group 1 IP address, now on the secondary unit.

Step 12

Reload the primary unit:

failover reload-standby

Example:


asa/act/sec# failover reload-standby

Note

If you are connected to the primary unit console port, you should instead enter the reload command to reload the primary unit.

You may be disconnected from your SSH session.

Step 13

If the failover groups are configured with the preempt command, they automatically become active on their designated unit after the preempt delay has passed.

Upgrade an Active/Active Failover Pair Using ASDM

The Upgrade Software from Local Computer tool lets you upload an image file from your computer to the flash file system to upgrade the Active/Active failover pair for the Firepower 1000, Firepower 2100 in Appliance mode, Secure Firewall 3100/4200.

Before you begin

Perform these steps in the system execution space.
Place the ASA image on your local management computer.

Procedure

Step 1	Launch ASDM on the secondary unit by connecting to the management address in failover group 2.
Step 2	In the main ASDM application window, choose Tools > Upgrade Software from Local Computer. The Upgrade Software dialog box appears.
Step 3	From the Image to Upload drop-down list, choose ASA.
Step 4	In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.
Step 5	In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.
Step 6	Click Upload Image. The uploading process might take a few minutes. When you are prompted to set this image as the ASA image, click No. You exit the Upgrade tool.
Step 7	Connect ASDM to the primary unit by connecting to the management IP address in failover group 1.
Step 8	If you previously set a non-default ASDM image, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. Choose Configuration > Device Management > System Image/Configuration > Boot Image/Configuration. For the ASDM Image File Path, enter disk0:/asdm.bin. Click Apply.
Step 9	Upload the ASA software, using the same file location you used on the secondary unit.
Step 10	When you are prompted to set the image as the ASA image, click Yes. You are reminded to reload the ASA to use the new image. Click OK. You exit the Upgrade tool.
Step 11	Click the Save icon on the toolbar to save your configuration changes. These configuration changes are automatically saved on the secondary unit.
Step 12	Make both failover groups active on the primary unit by choosing Monitoring > Failover > Failover Group #, where # is the number of the failover group you want to move to the primary unit, and clicking Make Active.
Step 13	Reload the secondary unit by choosing Monitoring > Failover > System, and clicking Reload Standby. Stay on the System pane to monitor when the secondary unit reloads.
Step 14	After the secondary unit comes up, make both failover groups active on the secondary unit by choosing Monitoring > Failover > Failover Group #, where # is the number of the failover group you want to move to the secondary unit, and clicking Make Standby. ASDM will automatically reconnect to the failover group 1 IP address on the secondary unit.
Step 15	Reload the primary unit by choosing Monitoring > Failover > System, and clicking Reload Standby.
Step 16	If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. ASDM will automatically reconnect to the failover group 1 IP address on the primary unit.

Upgrade an ASA Cluster (Secure Firewall 3100/4200)

Upgrade an ASA Cluster Using the CLI (Secure Firewall 3100/4200)

To upgrade all nodes in an ASA cluster, perform the following steps. This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command reference.

Before you begin

Perform these steps on the control node. You can configure the ASA prompt to show the cluster node and state (control or data), which is useful to determine which node you are connected to. See the prompt command. Alternatively, enter the show cluster info command to view each node's role.
You must use the console port; you cannot enable or disable clustering from a remote CLI connection.
Perform these steps in the system execution space for multiple context mode.

Procedure

Step 1

On the control node in global configuration mode, if you previously set a non-default ASDM image, then reset it to the image that came with your image bundle.

asdm image disk0:/asdm.bin

write memory

Step 2

On the control node in privileged EXEC mode (minimum), copy the ASA software to all nodes in the cluster.

cluster exec copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/unit1/control# cluster exec copy /noconfirm 
ftp://dwinchester:sam@10.1.1.1/cisco-asa-fp3k.9.19.1.SPA disk0:/cisco-asa-fp3k.9.19.1.SPA

Step 3

If you are not already in global configuration mode, access it now.

configure terminal

Example:


asa/unit1/control# configure terminal
asa/unit1/control(config)#

Step 4

Show the current boot image configured, if present.

show running-config boot system

Note that you may not have a boot system command present in your configuration; for example, if you installed the image from ROMMON, have a new device, or you removed the command manually.

Example:


ciscoasa(config)# show running-config boot system
boot system disk0:/cisco-asa-fp1k.9.17.1.SPA

Step 5

If you have a boot system command configured, remove it so that you can enter the new boot image.

no boot system diskn:/[path/]asa_image_name

If you did not have a boot system command configured, skip this step.

Example:


ciscoasa(config)# no boot system disk0:/cisco-asa-fp1k.9.17.1.SPA

Step 6

Set the ASA image to boot (the one you just uploaded).

boot system diskn:/[path/]asa_image_name

Example:


ciscoasa(config)# boot system disk0:/cisco-asa-fp1k.9.19.1.SPA

The system is currently installed with security software package 9.17.1, which has:
   - The platform version:  2.11.1
   - The CSP (asa) version: 9.17.1
Preparing new image for install...
!!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Installation of version 9.19.1 will do the following:
   - upgrade to the new platform version 2.13.1
   - upgrade to the CSP ASA version 9.19.1
After the installation is complete, reload to apply the new image.
Finalizing image install process...
 
Install_status: ready...........
Install_status: validating-images.....
Install_status: update-software-pack-completed
ciscoasa(config)#

Step 7

Save the new settings to the startup configuration:

write memory

These configuration changes are automatically saved on the data nodes.

Step 8

Upgrade the data nodes by reloading.

Note

During the upgrade process, never use the cluster control-node unit command to force a data node to become control; you can cause network connectivity and cluster stability-related problems. You must upgrade and reload all data nodes first, and then continue with this procedure to ensure a smooth transition from the current control node to a new control node.

On the control node, to view member names, enter cluster exec unit ? , or enter the show cluster info command.
Reload a data node.

cluster exec unit data-node reload noconfirm
Example:
```
asa/unit1/control# cluster exec unit node2 reload noconfirm
```
Repeat for each data node.

To avoid connection loss and allow traffic to stabilize, wait for each node to come back up and rejoin the cluster (approximately 5 minutes) before repeating these steps for the next node. To view when a node rejoins the cluster, enter show cluster info .

Step 9

Upgrade the control node by reloading.

Disable clustering. We recommend manually disabling clustering on the control node if possible so that a new control node can be elected as quickly and cleanly as possible.

cluster group name

no enable

Wait for 5 minutes for a new control node to be selected and traffic to stabilize.

Do not save this configuration; you want clustering to be enabled when you reload.
Example:
```
asa/unit1/control(config)# cluster group cluster1
asa/unit1/control(cfg-cluster)# no enable
Cluster disable is performing cleanup..done.
All data interfaces have been shutdown due to clustering being disabled. To recover either enable clustering or remove cluster group configuration.

Cluster unit node1 transitioned from CONTROL to DISABLED
asa/unit1/ClusterDisabled(cfg-cluster)#                        
```
Reload this node.

reload noconfirm

When the former control node rejoins the cluster, it will be a data node.

Upgrade an ASA Cluster Using ASDM (Secure Firewall 3100/4200)

To upgrade all nodes in an ASA cluster, perform the following steps.

Before you begin

Perform these steps on the control node.
Perform these steps in the system execution space for multiple context mode.
Place the ASA image on your local management computer.

Procedure

Step 1

Launch ASDM on the control node by connecting to the main cluster IP address.

This IP address always stays with the control node.

Step 2

If you previously set a non-default ASDM image, then reset it to the image that came with your image bundle.

In the main ASDM application window, choose Configuration > Device Management > System Image/Configuration > Boot Image/Configuration.
For the ASDM Image File Path, enter disk0:/asdm.bin.
Click Apply.

Step 3

In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.

The Upgrade Software from Local Computer dialog box appears.

Step 4

Click the All devices in the cluster radio button.

The Upgrade Software dialog box appears.

Step 5

From the Image to Upload drop-down list, choose ASA.

Step 6

In the Local File Path field, click Browse Local Files to find the file on your computer.

Step 7

(Optional) In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.

By default, this field is prepopulated with the following path: disk0:/filename.

Step 8

Click Upload Image. The uploading process might take a few minutes.

Step 9

You are prompted to set this image as the ASA image. Click Yes.

Step 10

You are reminded to reload the ASA to use the new image. Click OK.

You exit the Upgrade tool.

Step 11

Click the Save icon on the toolbar to save your configuration changes.

These configuration changes are automatically saved on the data nodes.

Step 12

Take note of the individual management IP addresses for each node on Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Members so that you can connect ASDM directly to data nodes later.

Step 13

Upgrade the data nodes by reloading.

Note

During the upgrade process, never change the control node using the Monitoring > ASA Cluster > Cluster Summary page to force a data node to become control; you can cause network connectivity and cluster stability-related problems. You must reload all data nodes first, and then continue with this procedure to ensure a smooth transition from the current control node to a new control node.

On the control node, choose Tools > System Reload.
Choose a data node name from the Device drop-down list.
Click Schedule Reload.
Click Yes to continue the reload.
Repeat for each data node.

To avoid connection loss and allow traffic to stabilize, wait for each node to come back up and rejoin the cluster (approximately 5 minutes) before repeating these steps for the next node. To view when a node rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane.

Step 14

Upgrade the control node by reloading.

In ASDM on the control node, choose Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration pane.
Uncheck the Participate in ASA cluster check box, and click Apply.

You are prompted to exit ASDM.
Wait for up to 5 minutes for a new control node to be selected and traffic to stabilize.

When the former control node rejoins the cluster, it will be a data node.
Re-connect ASDM to the former control node by connecting to its individual management IP address that you noted earlier.

The main cluster IP address now belongs to the new control node; this former control node is still accessible on its individual management IP address.
Choose Tools > System Reload.
Click the Reload without saving the running configuration radio button.

You do not want to save the configuration; when this node reloads, you want clustering to be enabled on it.
Click Schedule Reload.
Click Yes to continue the reload.

You are prompted to exit ASDM. Restart ASDM on the main cluster IP address; you will reconnect to the new control node.

Upgrade the Firepower 2100 in Platform Mode

This document describes how to plan and implement an ASA, FXOS, and ASDM upgrade for standalone or failover deployments for the Firepower 2100 in Platform mode. Prior to version 9.13, the Firepower 2100 only supported Platform mode. In 9.14 and later, Appliance mode is the default. In 9.14 and later, use the show fxos mode command on the ASA to determine your current mode. For appliance mode procedures, see Upgrade the Firepower 1000, 2100 in Appliance Mode, and Secure Firewall 3100/4200.

Upgrade a Standalone Unit

Use the FXOS CLI or Firepower Chassis Manager to upgrade the standalone unit.

Upgrade a Standalone Unit Using the Firepower Chassis Manager

This section describes how to upgrade the ASA bundle, which includes both ASA and ASDM, for a standalone unit. You will upload the package from your management computer.

Procedure

Step 1	If you previously set a non-default ASDM image in the ASA configuration, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. In the main ASDM application window, choose Configuration > Device Management > System Image/Configuration > Boot Image/Configuration. For the ASDM Image File Path, enter disk0:/asdm.bin. Click Apply Click the Save icon on the toolbar to save your configuration changes. Quit ASDM.
Step 2	Connect to the Firepower Chassis Manager.
Step 3	Choose System > Updates. The Available Updates area shows a list of the packages available on the chassis.
Step 4	Click Upload Image to upload the new package from your management computer.
Step 5	Click Choose File to navigate to and select the package that you want to upload.
Step 6	Click Upload. The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status. Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image is automatically verified.
Step 7	Click the Upgrade icon to the right of the new package.
Step 8	Click Yes to confirm that you want to proceed with installation. There is no indicator that the new package is being loaded. You will still see the Firepower Chassis Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.

Upgrade a Standalone Unit Using the FXOS CLI

This section describes how to upgrade the ASA bundle, which includes both ASA and ASDM, for a standalone unit. You can use FTP, SCP, SFTP, or TFTP to copy the package to the Firepower 2100 chassis.

Procedure

Step 1	Connect to the FXOS CLI, either the console port (preferred) or using SSH.
Step 2	If you previously set a non-default ASDM image in the ASA configuration, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. Connect to ASA. connect asa Example: `firepower-2100# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. ciscoasa>` Access privileged EXEC mode, and then global configuration mode. enable configure terminal Set the ASDM image. asdm image disk0:/asdm.bin Save the configuration. write memory Return to the FXOS console by entering Ctrl+a, d.
Step 3	In FXOS, download the package to the chassis. Enter firmware mode. scope firmware Example: `firepower-2110# scope firmware firepower-2110 /firmware#` Download the package. download image `url` Specify the URL for the file being imported using one of the following: ftp://`username`@`server`/[`path`/]`image_name` scp://`username`@`server`/[`path`/]`image_name` sftp://`username`@`server`/[`path`/]`image_name` tftp://`server`[:`port`]/[`path`/]`image_name` Example: `firepower-2110 /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA Please use the command 'show download-task' or 'show download-task detail' to check download progress.` Monitor the download process. show download-task Example: `firepower-2110 /firmware # show download Download task: File Name Protocol Server Port Userid State --------- -------- --------------- ---------- --------------- ----- cisco-asa-fp2k.9.8.2.SPA Tftp 10.88.29.181 0 Downloaded cisco-asa-fp2k.9.8.2.2.SPA Tftp 10.88.29.181 0 Downloading firepower-2110 /firmware #`
Step 4	When the new package finishes downloading (Downloaded state), boot the package. View the version number of the new package. show package Example: `firepower-2110 /firmware # show package Name Package-Vers --------------------------------------------- ------------ cisco-asa-fp2k.9.8.2.SPA 9.8.2 cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2 firepower-2110 /firmware #` Install the package. scope auto-install install security-pack version `version` In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA image and reboots. Example: firepower-2110 /firmware # scope auto-install firepower-2110 /firmware/auto-install # install security-pack version 9.8.3 The system is currently installed with security software package 9.8.2, which has: - The platform version: 2.2.2.52 - The CSP (asa) version: 9.8.2 If you proceed with the upgrade 9.8.3, it will do the following: - upgrade to the new platform version 2.2.2.97 - upgrade to the CSP asa version 9.8.3 During the upgrade, the system will be reboot Do you want to proceed ? (yes/no):yes This operation upgrades firmware and software on Security Platform Components Here is the checklist of things that are recommended before starting Auto-Install (1) Review current critical/major faults (2) Initiate a configuration backup Do you want to proceed? (yes/no):yes Triggered the install of software package version 9.8.3 Install started. This will take several minutes. For monitoring the upgrade progress, please enter 'show' or 'show detail' command. firepower-2110 /firmware/auto-install #
Step 5	Wait for the chassis to finish rebooting (5-10 minutes). Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages: `firepower-2110# Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Verifying signature for cisco-asa.9.8.2.2 ... Verifying signature for cisco-asa.9.8.2.2 ... success Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Cisco ASA starting ... Registering to process manager ... Cisco ASA started successfully. […]`

Upgrade an Active/Standby Failover Pair

Use the FXOS CLI or Firepower Chassis Manager to upgrade the Active/Standby failover pair for a zero downtime upgrade.

Upgrade an Active/Standby Failover Pair Using the Firepower Chassis Manager

This section describes how to upgrade the ASA bundle, which includes both ASA and ASDM, for an Active/Standby failover pair. You will upload the package from your management computer.

Before you begin

You need to determine which unit is active and which is standby: connect ASDM to the active ASA IP address. The active unit always owns the active IP address. Then choose Monitoring > Properties > Failover > Status to view this unit's priority (primary or secondary) so you know which unit you are connected to.

Procedure

Step 1	If you previously set a non-default ASDM image in the ASA configuration, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. Connect to ASDM on the active unit. In the main ASDM application window, choose Configuration > Device Management > System Image/Configuration > Boot Image/Configuration. For the ASDM Image File Path, enter disk0:/asdm.bin. Click Apply Click the Save icon on the toolbar to save your configuration changes. Quit ASDM.
Step 2	Upgrade the standby unit. Connect to the Firepower Chassis Manager on the standby unit. Choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image to upload the new package from your management computer. Click Choose File to navigate to and select the package that you want to upload. Click Upload. The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status. Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image is automatically verified. Click the Upgrade icon to the right of the new package. Click Yes to confirm that you want to proceed with installation. There is no indicator that the new package is being loaded. You will still see the Firepower Chassis Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.
Step 3	Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit. Launch ASDM on the standby unit by connecting to the standby ASA IP address. Force the standby unit to become active by choosing Monitoring > Properties > Failover > Status, and clicking Make Active.
Step 4	Upgrade the former active unit. Connect to the Firepower Chassis Manager on the former active unit. Choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image to upload the new package from your management computer. Click Choose File to navigate to and select the package that you want to upload. Click Upload. The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status. Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image is automatically verified. Click the Upgrade icon to the right of the new package. Click Yes to confirm that you want to proceed with installation. There is no indicator that the new package is being loaded. You will still see the Firepower Chassis Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.

Upgrade an Active/Standby Failover Pair Using the FXOS CLI

This section describes how to upgrade the ASA bundle, which includes both ASA and ASDM, for an Active/Standby failover pair. You can use FTP, SCP, SFTP, or TFTP to copy the package to the Firepower 2100 chassis.

Before you begin

You need to determine which unit is active and which is standby. To determine the failover status, look at the ASA prompt; you can configure the ASA prompt to show the failover status and priority (primary or secondary), which is useful to determine which unit you are connected to. See the prompt command. However, the FXOS prompt is not aware of ASA failover. Alternatively, enter the ASA show failover command to view this unit's status and priority (primary or secondary).

Procedure

Step 1	If you previously set a non-default ASDM image in the ASA configuration, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. Connect to the FXOS CLI on the active unit, either the console port (preferred) or using SSH. Connect to ASA. connect asa Example: `firepower-2100# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. ciscoasa>` Access privileged EXEC mode, and then global configuration mode. enable configure terminal Set the ASDM image. asdm image disk0:/asdm.bin Save the configuration. write memory Return to the FXOS console by entering Ctrl+a, d.
Step 2	Upgrade the standby unit. Connect to the FXOS CLI on the standby unit, either the console port (preferred) or using SSH. Enter firmware mode. scope firmware Example: `2110-sec# scope firmware 2110-sec /firmware#` Download the package. download image `url` Specify the URL for the file being imported using one of the following: ftp://`username`@`server`/[`path`/]`image_name` scp://`username`@`server`/[`path`/]`image_name` sftp://`username`@`server`/[`path`/]`image_name` tftp://`server`[:`port`]/[`path`/]`image_name` Example: `2110-sec /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA Please use the command 'show download-task' or 'show download-task detail' to check download progress.` Monitor the download process. show download-task Example: `2110-sec /firmware # show download Download task: File Name Protocol Server Port Userid State --------- -------- --------------- ---------- --------------- ----- cisco-asa-fp2k.9.8.2.SPA Tftp 10.88.29.181 0 Downloaded cisco-asa-fp2k.9.8.2.2.SPA Tftp 10.88.29.181 0 Downloading 2110-sec /firmware #` When the new package finishes downloading (Downloaded state), boot the package. View the version number of the new package. show package Example: `2110-sec /firmware # show package Name Package-Vers --------------------------------------------- ------------ cisco-asa-fp2k.9.8.2.SPA 9.8.2 cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2 2110-sec /firmware #` Install the package. scope auto-install install security-pack version `version` In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA image and reboots. Example: 2110-sec /firmware # scope auto-install 2110-sec /firmware/auto-install # install security-pack version 9.8.3 The system is currently installed with security software package 9.8.2, which has: - The platform version: 2.2.2.52 - The CSP (asa) version: 9.8.2 If you proceed with the upgrade 9.8.3, it will do the following: - upgrade to the new platform version 2.2.2.97 - upgrade to the CSP asa version 9.8.3 During the upgrade, the system will be reboot Do you want to proceed ? (yes/no):yes This operation upgrades firmware and software on Security Platform Components Here is the checklist of things that are recommended before starting Auto-Install (1) Review current critical/major faults (2) Initiate a configuration backup Do you want to proceed? (yes/no):yes Triggered the install of software package version 9.8.3 Install started. This will take several minutes. For monitoring the upgrade progress, please enter 'show' or 'show detail' command. 2110-sec /firmware/auto-install # Wait for the chassis to finish rebooting (5-10 minutes). Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages: `2110-sec# Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Verifying signature for cisco-asa.9.8.2.2 ... Verifying signature for cisco-asa.9.8.2.2 ... success Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Cisco ASA starting ... Registering to process manager ... Cisco ASA started successfully. […]`
Step 3	Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit. Connect to the standby ASA CLI from FXOS. connect asa enable Example: `2110-sec# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. asa/stby/sec> enable Password: *** asa/stby/sec#` Force to the standby unit to become active. failover active Example: `asa/stby/sec> failover active asa/act/sec#` To return to the FXOS console, enter Ctrl+a**, d.
Step 4	Upgrade the former active unit. Connect to the FXOS CLI on the former active unit, either the console port (preferred) or using SSH. Enter firmware mode. scope firmware Example: `2110-pri# scope firmware 2110-pri /firmware#` Download the package. download image `url` Specify the URL for the file being imported using one of the following: ftp://`username`@`server`/[`path`/]`image_name` scp://`username`@`server`/[`path`/]`image_name` sftp://`username`@`server`/[`path`/]`image_name` tftp://`server`[:`port`]/[`path`/]`image_name` Example: `2110-pri /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA Please use the command 'show download-task' or 'show download-task detail' to check download progress.` Monitor the download process. show download-task Example: `2110-pri /firmware # show download Download task: File Name Protocol Server Port Userid State --------- -------- --------------- ---------- --------------- ----- cisco-asa-fp2k.9.8.2.SPA Tftp 10.88.29.181 0 Downloaded cisco-asa-fp2k.9.8.2.2.SPA Tftp 10.88.29.181 0 Downloading 2110-pri /firmware #` When the new package finishes downloading (Downloaded state), boot the package. View the version number of the new package. show package Example: `2110-pri /firmware # show package Name Package-Vers --------------------------------------------- ------------ cisco-asa-fp2k.9.8.2.SPA 9.8.2 cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2 2110-pri /firmware #` Install the package. scope auto-install install security-pack version `version` In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA image and reboots. Example: 2110-pri /firmware # scope auto-install 2110-pri /firmware/auto-install # install security-pack version 9.8.3 The system is currently installed with security software package 9.8.2, which has: - The platform version: 2.2.2.52 - The CSP (asa) version: 9.8.2 If you proceed with the upgrade 9.8.3, it will do the following: - upgrade to the new platform version 2.2.2.97 - upgrade to the CSP asa version 9.8.3 During the upgrade, the system will be reboot Do you want to proceed ? (yes/no):yes This operation upgrades firmware and software on Security Platform Components Here is the checklist of things that are recommended before starting Auto-Install (1) Review current critical/major faults (2) Initiate a configuration backup Do you want to proceed? (yes/no):yes Triggered the install of software package version 9.8.3 Install started. This will take several minutes. For monitoring the upgrade progress, please enter 'show' or 'show detail' command. 2110-pri /firmware/auto-install # Wait for the chassis to finish rebooting (5-10 minutes). Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages: `2110-pri# Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Verifying signature for cisco-asa.9.8.2.2 ... Verifying signature for cisco-asa.9.8.2.2 ... success Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Cisco ASA starting ... Registering to process manager ... Cisco ASA started successfully. […]`

Upgrade an Active/Active Failover Pair

Use the FXOS CLI or Firepower Chassis Manager to upgrade the Active/Active failover pair for a zero downtime upgrade.

Upgrade an Active/Active Failover Pair Using the Firepower Chassis Manager

This section describes how to upgrade the ASA bundle, which includes both ASA and ASDM, for an Active/Active failover pair. You will upload the package from your management computer.

Procedure

Step 1	Make both failover groups active on the primary unit. Launch ASDM on the primary unit (or the unit with failover group 1 active) by connecting to the management address in failover group 1. Choose Monitoring > Failover > Failover Group 2, and click Make Active. Stay connected to ASDM on this unit for later steps.
Step 2	If you previously set a non-default ASDM image in the ASA configuration, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. In the main ASDM application window on the primary unit, choose Configuration > Device Management > System Image/Configuration > Boot Image/Configuration. For the ASDM Image File Path, enter disk0:/asdm.bin. Click Apply Click the Save icon on the toolbar to save your configuration changes.
Step 3	Upgrade the secondary unit. Connect to the Firepower Chassis Manager on the secondary unit. Choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image to upload the new package from your management computer. Click Choose File to navigate to and select the package that you want to upload. Click Upload. The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status. Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image is automatically verified. Click the Upgrade icon to the right of the new package. Click Yes to confirm that you want to proceed with installation. There is no indicator that the new package is being loaded. You will still see the Firepower Chassis Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.
Step 4	Make both failover groups active on the secondary unit. In ASDM on the primary unit, choose Monitoring > Failover > Failover Group 1, and click Make Standby. ASDM will automatically reconnect to the failover group 1 IP address on the secondary unit.
Step 5	Upgrade the primary unit. Connect to the Firepower Chassis Manager on the primary unit. Choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image to upload the new package from your management computer. Click Choose File to navigate to and select the package that you want to upload. Click Upload. The selected package is uploaded to the chassis. The Upload Image dialog box shows the upload status. Wait for the Success dialog box, and click OK. After completing the upload, the integrity of the image is automatically verified. Click the Upgrade icon to the right of the new package. Click Yes to confirm that you want to proceed with installation. There is no indicator that the new package is being loaded. You will still see the Firepower Chassis Manager at the beginning of the upgrade process. When the system reboots, you will be logged out. You must wait for the system to come back up before you can log in to the Firepower Chassis Manager. The reboot process takes approximately 20 minutes. After the reboot, you will see the login screen.
Step 6	If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt Enabled, you can return them to active status on their designated units using the ASDM Monitoring > Failover > Failover Group # pane.

Upgrade an Active/Active Failover Pair Using the FXOS CLI

This section describes how to upgrade the ASA bundle, which includes both ASA and ASDM, for an Active/Active failover pair. You can use FTP, SCP, SFTP, or TFTP to copy the package to the Firepower 2100 chassis.

Procedure

Step 1	If you previously set a non-default ASDM image in the ASA configuration, then reset it to the image that came with your image bundle. The image bundle includes the ASDM image, and when you upgrade the ASA bundle, the ASDM image in the bundle replaces the previous ASDM bundle image on the ASA after reloading because they have the same name (asdm.bin). If you manually chose a different ASDM image that you uploaded (for example, asdm-7191.bin), then you continue to use that image even after a bundle upgrade. To make sure that you are running a compatible version of ASDM, you should reconfigure the ASA to use the bundled ASDM image. Connect to the FXOS CLI on the primary unit, either the console port (preferred) or using SSH. Connect to ASA. connect asa Example: `firepower-2100# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. ciscoasa>` Access privileged EXEC mode, and then global configuration mode. enable configure terminal Set the ASDM image. asdm image disk0:/asdm.bin Save the configuration. write memory Return to the FXOS console by entering Ctrl+a, d.
Step 2	Connect to the FXOS CLI on the secondary unit, either the console port (preferred) or using SSH.
Step 3	Make both failover groups active on the primary unit. Connect to the ASA CLI from FXOS. connect asa enable The enable password is blank by default. Example: `2110-sec# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. asa/act/sec> enable Password: <blank> asa/act/sec#` Make both failover groups active on the primary unit. no failover active group 1 no failover active group 2 Example: `asa/act/sec# no failover active group 1 asa/act/sec# no failover active group 2` Enter Ctrl+a, d to return to the FXOS console.
Step 4	Upgrade the secondary unit. In FXOS, enter firmware mode. scope firmware Example: `2110-sec# scope firmware 2110-sec /firmware#` Download the package. download image `url` Specify the URL for the file being imported using one of the following: ftp://`username`@`server`/[`path`/]`image_name` scp://`username`@`server`/[`path`/]`image_name` sftp://`username`@`server`/[`path`/]`image_name` tftp://`server`[:`port`]/[`path`/]`image_name` Example: `2110-sec /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA Please use the command 'show download-task' or 'show download-task detail' to check download progress.` Monitor the download process. show download-task Example: `2110-sec /firmware # show download Download task: File Name Protocol Server Port Userid State --------- -------- --------------- ---------- --------------- ----- cisco-asa-fp2k.9.8.2.SPA Tftp 10.88.29.181 0 Downloaded cisco-asa-fp2k.9.8.2.2.SPA Tftp 10.88.29.181 0 Downloading 2110-sec /firmware #` When the new package finishes downloading (Downloaded state), boot the package. View the version number of the new package. show package Example: `2110-sec /firmware # show package Name Package-Vers --------------------------------------------- ------------ cisco-asa-fp2k.9.8.2.SPA 9.8.2 cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2 2110-sec /firmware #` Install the package. scope auto-install install security-pack version `version` In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA image and reboots. Example: 2110-sec /firmware # scope auto-install 2110-sec /firmware/auto-install # install security-pack version 9.8.3 The system is currently installed with security software package 9.8.2, which has: - The platform version: 2.2.2.52 - The CSP (asa) version: 9.8.2 If you proceed with the upgrade 9.8.3, it will do the following: - upgrade to the new platform version 2.2.2.97 - upgrade to the CSP asa version 9.8.3 During the upgrade, the system will be reboot Do you want to proceed ? (yes/no):yes This operation upgrades firmware and software on Security Platform Components Here is the checklist of things that are recommended before starting Auto-Install (1) Review current critical/major faults (2) Initiate a configuration backup Do you want to proceed? (yes/no):yes Triggered the install of software package version 9.8.3 Install started. This will take several minutes. For monitoring the upgrade progress, please enter 'show' or 'show detail' command. 2110-sec /firmware/auto-install # Wait for the chassis to finish rebooting (5-10 minutes). Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages: `2110-sec# Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Verifying signature for cisco-asa.9.8.2.2 ... Verifying signature for cisco-asa.9.8.2.2 ... success Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Cisco ASA starting ... Registering to process manager ... Cisco ASA started successfully. […]`
Step 5	Make both failover groups active on the secondary unit. Connect to the ASA CLI from FXOS. connect asa enable The enable password is blank by default. Example: `2110-sec# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. asa/stby/sec> enable Password: <blank> asa/stby/sec#` Make both failover groups active on the secondary unit. failover active group 1 failover active group 2 Example: `asa/stby/sec# failover active group 1 asa/act/sec# failover active group 2` Enter Ctrl+a, d to return to the FXOS console.
Step 6	Upgrade the primary unit. Connect to the FXOS CLI on the primary unit, either the console port (preferred) or using SSH. Enter firmware mode. scope firmware Example: `2110-pri# scope firmware 2110-pri /firmware#` Download the package. download image `url` Specify the URL for the file being imported using one of the following: ftp://`username`@`server`/[`path`/]`image_name` scp://`username`@`server`/[`path`/]`image_name` sftp://`username`@`server`/[`path`/]`image_name` tftp://`server`[:`port`]/[`path`/]`image_name` Example: `2110-pri /firmware# download image tftp://10.88.29.181/cisco-asa-fp2k.9.8.2.2.SPA Please use the command 'show download-task' or 'show download-task detail' to check download progress.` Monitor the download process. show download-task Example: `2110-pri /firmware # show download Download task: File Name Protocol Server Port Userid State --------- -------- --------------- ---------- --------------- ----- cisco-asa-fp2k.9.8.2.SPA Tftp 10.88.29.181 0 Downloaded cisco-asa-fp2k.9.8.2.2.SPA Tftp 10.88.29.181 0 Downloading 2110-pri /firmware #` When the new package finishes downloading (Downloaded state), boot the package. View the version number of the new package. show package Example: `2110-pri /firmware # show package Name Package-Vers --------------------------------------------- ------------ cisco-asa-fp2k.9.8.2.SPA 9.8.2 cisco-asa-fp2k.9.8.2.2.SPA 9.8.2.2 2110-pri /firmware #` Install the package. scope auto-install install security-pack version `version` In the show package output, copy the Package-Vers value for the security-pack version number. The chassis installs the ASA image and reboots. Example: 2110-pri /firmware # scope auto-install 2110-pri /firmware/auto-install # install security-pack version 9.8.3 The system is currently installed with security software package 9.8.2, which has: - The platform version: 2.2.2.52 - The CSP (asa) version: 9.8.2 If you proceed with the upgrade 9.8.3, it will do the following: - upgrade to the new platform version 2.2.2.97 - upgrade to the CSP asa version 9.8.3 During the upgrade, the system will be reboot Do you want to proceed ? (yes/no):yes This operation upgrades firmware and software on Security Platform Components Here is the checklist of things that are recommended before starting Auto-Install (1) Review current critical/major faults (2) Initiate a configuration backup Do you want to proceed? (yes/no):yes Triggered the install of software package version 9.8.3 Install started. This will take several minutes. For monitoring the upgrade progress, please enter 'show' or 'show detail' command. 2110-pri /firmware/auto-install # Wait for the chassis to finish rebooting (5-10 minutes). Although FXOS is up, you still need to wait for the ASA to come up (5 minutes). Wait until you see the following messages: `2110-pri# Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Verifying signature for cisco-asa.9.8.2.2 ... Verifying signature for cisco-asa.9.8.2.2 ... success Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.8.2.2__asa_001_JAD20280BW90MEZR11, FLAG='' Cisco ASA starting ... Registering to process manager ... Cisco ASA started successfully. […]`
Step 7	If the failover groups are configured with the ASA preempt command, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on their designated units by connecting to the ASA CLI and using the failover active group command.

Upgrade the Firepower 4100/9300

This document describes how to upgrade the ASA on the Firepower 4100/9300.

Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster

Use the FXOS CLI or Firepower Chassis Manager to upgrade FXOS and a standalone ASA device or an ASA intra-chassis cluster on a Firepower 9300.

Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using Secure Firewall Chassis Manager

The upgrade process can take up to 45 minutes. Traffic will not traverse through the device while it is upgrading. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

Download the FXOS and ASA software packages to which you are upgrading.
Back up your FXOS and ASA configurations.

Procedure

Step 1	In Secure Firewall chassis manager, choose System > Updates. The Available Updates area shows a list of the packages available on the chassis.
Step 2	Upload the new FXOS platform bundle image and ASA software image:: Click Upload Image. Click Choose File to navigate to and select the image that you want to upload. Click Upload. The selected image is uploaded to the chassis.
Step 3	After the new FXOS platform bundle image has successfully uploaded, click the Upgrade icon for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings.
Step 4	Click Yes to confirm that you want to proceed with installation. FXOS unpacks the bundle and upgrades/reloads the components.
Step 5	Firepower Chassis Manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).
Step 6	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 7	Choose Logical Devices. The Logical Devices page opens to show a list of configured logical devices on the chassis.
Step 8	For each ASA logical device that you want to upgrade: Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box. For the New Version, choose the software version to which you want to upgrade. Click OK.
Step 9	After the upgrade process finishes, verify that the applications are online and have upgraded successfully: Choose Logical Devices. Verify the application version and operational status.

Upgrade FXOS and an ASA Standalone Device or Intra-Chassis Cluster Using the FXOS CLI

The upgrade process can take up to 45 minutes. Traffic will not traverse through the device while it is upgrading. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

Download the FXOS and ASA software packages to which you are upgrading.
Back up your FXOS and ASA configurations.
Collect the following information that you will need to download software images to the chassis:
- IP address and authentication credentials for the server from which you are copying the images.
- Fully qualified names of the image files.

Procedure

Step 1	Connect to the FXOS CLI.
Step 2	Download the new FXOS platform bundle image to the chassis: Enter firmware mode: scope firmware Download the FXOS platform bundle software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server/` `path/` `image_name` scp://`username`@`server/` `path/` `image_name` sftp://`username`@`server/` `path/` `image_name` tftp://`server:` `port-num/` `path/` `image_name` To monitor the download process: scope download-task `image_name` show detail Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope firmware Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware/download-task # show detail Download task: File Name: fxos-k9.2.3.1.58.SPA Protocol: scp Server: 192.168.1.1 Userid: Path: Downloaded Image Size (KB): 853688 State: Downloading Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)
Step 3	After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle: If necessary, return to firmware mode: up Make note of the version number for the FXOS platform bundle you are installing: show package Enter auto-install mode: scope auto-install Install the FXOS platform bundle: install platform platform-vers `version_number` `version_number` is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58). The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Enter yes to confirm that you want to proceed with verification. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. FXOS unpacks the bundle and upgrades/reloads the components. To monitor the upgrade process, see Monitor the Upgrade Progress.
Step 4	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 5	Download the new ASA software image to the chassis: Enter Security Services mode: top scope ssa Enter Application Software mode: scope app-software Download the logical device software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server`/`path` scp://`username`@`server`/`path` sftp://`username`@`server`/`path` tftp://`server`:`port-num`/`path` To monitor the download process: show download-task To view the downloaded applications: up show app Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step. Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope ssa Firepower-chassis /ssa # scope app-software Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp Firepower-chassis /ssa/app-software # show download-task Downloads for Application Software: File Name Protocol Server Userid State ------------------------------ ---------- -------------------- --------------- ----- cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded Firepower-chassis /ssa/app-software # up Firepower-chassis /ssa # show app Application: Name Version Description Author Deploy Type CSP Type Is Default App ---------- ---------- ----------- ---------- ----------- ----------- -------------- asa 9.4.1.41 N/A Native Application No asa 9.4.1.65 N/A Native Application Yes
Step 6	For each ASA logical device that you want to upgrade: Enter Security Services mode: top scope ssa Set the scope to the security module you are updating: scope slot`slot_number` Set the scope to the ASA application: scope app-instance asa `instance_name` Set the Startup version to the new ASA software version: set startup-version `version_number`
Step 7	Commit the configuration: commit-buffer Commits the transaction to the system configuration. The application image is updated and the application restarts.
Step 8	To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.

Upgrade FXOS and an ASA Active/Standby Failover Pair

Use the FXOS CLI or Firepower Chassis Manager to upgrade FXOS and an ASA Active/Standby failover pair.

Upgrade FXOS and an ASA Active/Standby Failover Pair Using Secure Firewall Chassis Manager

The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

You need to determine which unit is active and which is standby: connect ASDM to the active ASA IP address. The active unit always owns the active IP address. Then choose Monitoring > Properties > Failover > Status to view this unit's priority (primary or secondary) so you know which unit you are connected to.
Download the FXOS and ASA software packages to which you are upgrading.
Back up your FXOS and ASA configurations.

Procedure

Step 1	On the chassis that contains the standby ASA logical device, upload the new FXOS platform bundle image and ASA software image: In Secure Firewall chassis manager, choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image. Click Choose File to navigate to and select the image that you want to upload. Click Upload. The selected image is uploaded to the chassis.
Step 2	After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the chassis that contains the standby ASA logical device: Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Click Yes to confirm that you want to proceed with installation. FXOS unpacks the bundle and upgrades/reloads the components.
Step 3	Secure Firewall chassis manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).
Step 4	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 5	Upgrade the ASA logical device image: Choose Logical Devices to open the Logical Devices page. The Logical Devices page opens to show a list of configured logical devices on the chassis. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box. For the New Version, choose the software version to which you want to update. Click OK.
Step 6	After the upgrade process finishes, verify that the applications are online and have upgraded successfully: Choose Logical Devices. Verify the application version and operational status.
Step 7	Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit: Launch ASDM on the standby unit by connecting to the standby ASA IP address. Force the standby unit to become active by choosing Monitoring > Properties > Failover > Status, and clicking Make Active.
Step 8	On the chassis that contains the new standby ASA logical device, upload the new FXOS platform bundle image and ASA software image: In Secure Firewall chassis manager, choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image. Click Choose File to navigate to and select the image that you want to upload. Click Upload. The selected image is uploaded to the chassis.
Step 9	After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the chassis that contains the new standby ASA logical device: Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Click Yes to confirm that you want to proceed with installation. FXOS unpacks the bundle and upgrades/reloads the components.
Step 10	Secure Firewall chassis manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).
Step 11	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 12	Upgrade the ASA logical device image: Choose Logical Devices. The Logical Devices page opens to shows a list of configured logical devices on the chassis. If no logical devices have been configured, a message stating so is shown instead. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box. For the New Version, choose the software version to which you want to update. Click OK.
Step 13	After the upgrade process finishes, verify that the applications are online and have upgraded successfully: Choose Logical Devices. Verify the application version and operational status.
Step 14	(Optional) Make the unit that you just upgraded the active unit as it was before the upgrade: Launch ASDM on the standby unit by connecting to the standby ASA IP address. Force the standby unit to become active by choosing Monitoring > Properties > Failover > Status, and clicking Make Active.

Upgrade FXOS and an ASA Active/Standby Failover Pair Using the FXOS CLI

The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

You need to determine which unit is active and which is standby: connect to the ASA console on the chassis and enter the show failover command to view the Active/Standby status of the unit.
Download the FXOS and ASA software packages to which you are upgrading.
Back up your FXOS and ASA configurations.
Collect the following information that you will need to download software images to the chassis:
- IP address and authentication credentials for the server from which you are copying the image.
- Fully qualified name of the image file.

Procedure

Step 1	On the chassis that contains the standby ASA logical device, download the new FXOS platform bundle image: Connect to the FXOS CLI. Enter firmware mode: scope firmware Download the FXOS platform bundle software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server/` `path/` `image_name` scp://`username`@`server/` `path/` `image_name` sftp://`username`@`server/` `path/` `image_name` tftp://`server:` `port-num/` `path/` `image_name` To monitor the download process: scope download-task `image_name` show detail Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope firmware Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware/download-task # show detail Download task: File Name: fxos-k9.2.3.1.58.SPA Protocol: scp Server: 192.168.1.1 Userid: Path: Downloaded Image Size (KB): 853688 State: Downloading Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)
Step 2	After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle: If necessary, return to firmware mode: up Make note of the version number for the FXOS platform bundle you are installing: show package Enter auto-install mode: scope auto-install Install the FXOS platform bundle: install platform platform-vers `version_number` `version_number` is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58). The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Enter yes to confirm that you want to proceed with verification. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. FXOS unpacks the bundle and upgrades/reloads the components. To monitor the upgrade process, see Monitor the Upgrade Progress.
Step 3	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 4	Download the new ASA software image to the chassis: Enter Security Services mode: top scope ssa Enter Application Software mode: scope app-software Download the logical device software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server`/`path` scp://`username`@`server`/`path` sftp://`username`@`server`/`path` tftp://`server`:`port-num`/`path` To monitor the download process: show download-task To view the downloaded applications: up show app Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step. Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope ssa Firepower-chassis /ssa # scope app-software Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp Firepower-chassis /ssa/app-software # show download-task Downloads for Application Software: File Name Protocol Server Userid State ------------------------------ ---------- -------------------- --------------- ----- cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded Firepower-chassis /ssa/app-software # up Firepower-chassis /ssa # show app Application: Name Version Description Author Deploy Type CSP Type Is Default App ---------- ---------- ----------- ---------- ----------- ----------- -------------- asa 9.4.1.41 N/A Native Application No asa 9.4.1.65 N/A Native Application Yes
Step 5	Upgrade the ASA logical device image: Enter Security Services mode: top scope ssa Set the scope to the security module you are updating: scope slot`slot_number` Set the scope to the ASA application: scope app-instance asa `instance_name` Set the Startup version to the version you want to update: set startup-version `version_number` Commit the configuration: commit-buffer Commits the transaction to the system configuration. The application image is updated and the application restarts.
Step 6	To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.
Step 7	Make the unit that you just upgraded the active unit so that traffic flows to the upgraded unit: On the chassis that contains the standby ASA logical device, connect to the module CLI using a console connection or a Telnet connection. connect module `slot_number` `{` console \| telnet} To connect to the security engine of a device that does not support multiple security modules, always use 1 as the `slot_number` . Example: `Firepower# connect module 1 console Telnet escape character is '~'. Trying 127.5.1.1... Connected to 127.5.1.1. Escape character is '~'. CISCO Serial Over LAN: Close Network Connection to Exit Firepower-module1>` Connect to the application console. connect asa Example: `Firepower-module1> connect asa Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI [...] asa>` Make this unit active: failover active Save the configuration: write memory Verify that the unit is active: show failover
Step 8	Exit the application console to the FXOS module CLI. Enter Ctrl-a, d
Step 9	Return to the supervisor level of the FXOS CLI. Exit the console: Enter ~ You exit to the Telnet application. To exit the Telnet application, enter: telnet>quit Exit the Telnet session: Enter Ctrl-], .
Step 10	On the chassis that contains the new standby ASA logical device, download the new FXOS platform bundle image: Connect to the FXOS CLI. Enter firmware mode: scope firmware Download the FXOS platform bundle software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server/` `path/` `image_name` scp://`username`@`server/` `path/` `image_name` sftp://`username`@`server/` `path/` `image_name` tftp://`server:` `port-num/` `path/` `image_name` To monitor the download process: scope download-task `image_name` show detail Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope firmware Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware/download-task # show detail Download task: File Name: fxos-k9.2.3.1.58.SPA Protocol: scp Server: 192.168.1.1 Userid: Path: Downloaded Image Size (KB): 853688 State: Downloading Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)
Step 11	After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle: If necessary, return to firmware mode: up Make note of the version number for the FXOS platform bundle you are installing: show package Enter auto-install mode: scope auto-install Install the FXOS platform bundle: install platform platform-vers `version_number` `version_number` is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58). The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Enter yes to confirm that you want to proceed with verification. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. FXOS unpacks the bundle and upgrades/reloads the components. To monitor the upgrade process, see Monitor the Upgrade Progress.
Step 12	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 13	Download the new ASA software image to the chassis: Enter Security Services mode: top scope ssa Enter Application Software mode: scope app-software Download the logical device software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server`/`path` scp://`username`@`server`/`path` sftp://`username`@`server`/`path` tftp://`server`:`port-num`/`path` To monitor the download process: show download-task To view the downloaded applications: up show app Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step. Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope ssa Firepower-chassis /ssa # scope app-software Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp Firepower-chassis /ssa/app-software # show download-task Downloads for Application Software: File Name Protocol Server Userid State ------------------------------ ---------- -------------------- --------------- ----- cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded Firepower-chassis /ssa/app-software # up Firepower-chassis /ssa # show app Application: Name Version Description Author Deploy Type CSP Type Is Default App ---------- ---------- ----------- ---------- ----------- ----------- -------------- asa 9.4.1.41 N/A Native Application No asa 9.4.1.65 N/A Native Application Yes
Step 14	Upgrade the ASA logical device image: Enter Security Services mode: top scope ssa Set the scope to the security module you are updating: scope slot`slot_number` Set the scope to the ASA application: scope app-instance asa `instance_name` Set the Startup version to the version you want to update: set startup-version `version_number` Commit the configuration: commit-buffer Commits the transaction to the system configuration. The application image is updated and the application restarts.
Step 15	To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.
Step 16	(Optional) Make the unit that you just upgraded the active unit as it was before the upgrade: On the chassis that contains the standby ASA logical device, connect to the module CLI using a console connection or a Telnet connection. connect module `slot_number` `{` console \| telnet} To connect to the security engine of a device that does not support multiple security modules, always use 1 as the `slot_number` . Example: `Firepower# connect module 1 console Telnet escape character is '~'. Trying 127.5.1.1... Connected to 127.5.1.1. Escape character is '~'. CISCO Serial Over LAN: Close Network Connection to Exit Firepower-module1>` Connect to the application console. connect asa Example: `Firepower-module1> connect asa Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI [...] asa>` Make this unit active: failover active Save the configuration: write memory Verify that the unit is active: show failover

Upgrade FXOS and an ASA Active/Active Failover Pair

Use the FXOS CLI or Firepower Chassis Manager to upgrade FXOS and an ASA Active/Active failover pair.

Upgrade FXOS and an ASA Active/Active Failover Pair Using Secure Firewall Chassis Manager

The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

You need to determine which unit is the primary unit: connect ASDM and then choose Monitoring > Properties > Failover > Status to view this unit's priority (primary or secondary) so you know which unit you are connected to.
Download the FXOS and ASA software packages to which you are upgrading.
Back up your FXOS and ASA configurations.

Procedure

Step 1	Make both failover groups active on the primary unit. Launch ASDM on the primary unit (or the unit with failover group 1 active) by connecting to the management address in failover group 1. Choose Monitoring > Failover > Failover Group 2, and click Make Active. Stay connected to ASDM on this unit for later steps.
Step 2	On the chassis that contains the secondary ASA logical device, upload the new FXOS platform bundle image and ASA software image: Connect to the Secure Firewall chassis manager on the secondary unit. Choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image. Click Choose File to navigate to and select the image that you want to upload. Click Upload. The selected image is uploaded to the chassis.
Step 3	After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the chassis that contains the secondary ASA logical device: Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Click Yes to confirm that you want to proceed with installation. FXOS unpacks the bundle and upgrades/reloads the components.
Step 4	Secure Firewall chassis manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).
Step 5	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 6	Upgrade the ASA logical device image: Choose Logical Devices. The Logical Devices page opens to show a list of configured logical devices on the chassis. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box. For the New Version, choose the software version to which you want to update. Click OK.
Step 7	After the upgrade process finishes, verify that the applications are online and have upgraded successfully: Choose Logical Devices. Verify the application version and operational status.
Step 8	Make both failover groups active on the secondary unit. Launch ASDM on the primary unit (or the unit with failover group 1 active) by connecting to the management address in failover group 1. Choose Monitoring > Failover > Failover Group 1, and click Make Standby. Choose Monitoring > Failover > Failover Group 2, and click Make Standby. ASDM will automatically reconnect to the failover group 1 IP address on the secondary unit.
Step 9	On the chassis that contains the primary ASA logical device, upload the new FXOS platform bundle image and ASA software image: Connect to the Secure Firewall chassis manager on the primary unit. Choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image to open the Upload Image dialog box. Click Choose File to navigate to and select the image that you want to upload. Click Upload. The selected package is uploaded to the chassis. For certain software images you will be presented with an end-user license agreement after uploading the image. Follow the system prompts to accept the end-user license agreement.
Step 10	After the new FXOS platform bundle image has successfully uploaded, upgrade the FXOS bundle on the chassis that contains the primary ASA logical device: Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Click Yes to confirm that you want to proceed with installation. FXOS unpacks the bundle and upgrades/reloads the components.
Step 11	Secure Firewall chassis manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).
Step 12	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 13	Upgrade the ASA logical device image: Choose Logical Devices. The Logical Devices page opens to show a list of configured logical devices on the chassis. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box. For the New Version, choose the software version to which you want to update. Click OK.
Step 14	After the upgrade process finishes, verify that the applications are online and have upgraded successfully: Choose Logical Devices. Verify the application version and operational status.
Step 15	If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt Enabled, you can return them to active status on their designated units using the ASDM Monitoring > Failover > Failover Group # pane.

Upgrade FXOS and an ASA Active/Active Failover Pair Using the FXOS CLI

The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

You need to determine which unit is primary: connect to the ASA console on the chassis and enter the show failover command to view the unit's status and priority (primary or secondary).
Download the FXOS and ASA software packages to which you are upgrading.
Back up your FXOS and ASA configurations.
Collect the following information that you will need to download software images to the chassis:
- IP address and authentication credentials for the server from which you are copying the image.
- Fully qualified name of the image file.

Procedure

Step 1	Connect to the FXOS CLI on the secondary unit, either the console port (preferred) or using SSH.
Step 2	Make both failover groups active on the primary unit. Connect to the module CLI using a console connection or a Telnet connection. connect module `slot_number` `{` console \| telnet} To connect to the security engine of a device that does not support multiple security modules, always use 1 as the `slot_number` . Example: `Firepower# connect module 1 console Telnet escape character is '~'. Trying 127.5.1.1... Connected to 127.5.1.1. Escape character is '~'. CISCO Serial Over LAN: Close Network Connection to Exit Firepower-module1>` Connect to the application console. connect asa Example: `Firepower-module1> connect asa Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI [...] asa>` Make both failover groups active on the primary unit. enable The enable password is blank by default. no failover active group 1 no failover active group 2 Example: `asa> enable Password: <blank> asa# no failover active group 1 asa# no failover active group 2`
Step 3	Exit the application console to the FXOS module CLI. Enter Ctrl-a, d
Step 4	Return to the supervisor level of the FXOS CLI. Exit the console: Enter ~ You exit to the Telnet application. To exit the Telnet application, enter: telnet>quit Exit the Telnet session: Enter Ctrl-], .
Step 5	On the chassis that contains the secondary ASA logical device, download the new FXOS platform bundle image and ASA software image: Connect to the FXOS CLI. Enter firmware mode: scope firmware Download the FXOS platform bundle software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server/` `path/` `image_name` scp://`username`@`server/` `path/` `image_name` sftp://`username`@`server/` `path/` `image_name` tftp://`server:` `port-num/` `path/` `image_name` To monitor the download process: scope download-task `image_name` show detail Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope firmware Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware/download-task # show detail Download task: File Name: fxos-k9.2.3.1.58.SPA Protocol: scp Server: 192.168.1.1 Userid: Path: Downloaded Image Size (KB): 853688 State: Downloading Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)
Step 6	After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle: If necessary, return to firmware mode: top scope firmware Make note of the version number for the FXOS platform bundle you are installing: show package Enter auto-install mode: scope auto-install Install the FXOS platform bundle: install platform platform-vers `version_number` `version_number` is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58). The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Enter yes to confirm that you want to proceed with verification. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. FXOS unpacks the bundle and upgrades/reloads the components. To monitor the upgrade process, see Monitor the Upgrade Progress.
Step 7	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 8	Download the new ASA software image to the chassis: Enter Security Services mode: top scope ssa Enter Application Software mode: scope app-software Download the logical device software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server`/`path` scp://`username`@`server`/`path` sftp://`username`@`server`/`path` tftp://`server`:`port-num`/`path` To monitor the download process: show download-task To view the downloaded applications: up show app Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step. Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope ssa Firepower-chassis /ssa # scope app-software Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp Firepower-chassis /ssa/app-software # show download-task Downloads for Application Software: File Name Protocol Server Userid State ------------------------------ ---------- -------------------- --------------- ----- cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded Firepower-chassis /ssa/app-software # up Firepower-chassis /ssa # show app Application: Name Version Description Author Deploy Type CSP Type Is Default App ---------- ---------- ----------- ---------- ----------- ----------- -------------- asa 9.4.1.41 N/A Native Application No asa 9.4.1.65 N/A Native Application Yes
Step 9	Upgrade the ASA logical device image: Enter Security Services mode: top scope ssa Set the scope to the security module you are updating: scope slot`slot_number` Set the scope to the ASA application: scope app-instance asa `instance_name` Set the Startup version to the version you want to update: set startup-version `version_number` Commit the configuration: commit-buffer Commits the transaction to the system configuration. The application image is updated and the application restarts.
Step 10	To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.
Step 11	Make both failover groups active on the secondary unit. Connect to the module CLI using a console connection or a Telnet connection. connect module `slot_number` `{` console \| telnet} To connect to the security engine of a device that does not support multiple security modules, always use 1 as the `slot_number` . Example: `Firepower# connect module 1 console Telnet escape character is '~'. Trying 127.5.1.1... Connected to 127.5.1.1. Escape character is '~'. CISCO Serial Over LAN: Close Network Connection to Exit Firepower-module1>` Connect to the application console. connect asa Example: `Firepower-module1> connect asa Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI [...] asa>` Make both failover groups active on the secondary unit. enable The enable password is blank by default. failover active group 1 failover active group 2 Example: `asa> enable Password: <blank> asa# failover active group 1 asa# failover active group 2`
Step 12	Exit the application console to the FXOS module CLI. Enter Ctrl-a, d
Step 13	Return to the supervisor level of the FXOS CLI. Exit the console: Enter ~ You exit to the Telnet application. To exit the Telnet application, enter: telnet>quit Exit the Telnet session: Enter Ctrl-], .
Step 14	On the chassis that contains the primary ASA logical device, download the new FXOS platform bundle image and ASA software image: Connect to the FXOS CLI. Enter firmware mode: scope firmware Download the FXOS platform bundle software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server/` `path/` `image_name` scp://`username`@`server/` `path/` `image_name` sftp://`username`@`server/` `path/` `image_name` tftp://`server:` `port-num/` `path/` `image_name` To monitor the download process: scope download-task `image_name` show detail Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope firmware Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware/download-task # show detail Download task: File Name: fxos-k9.2.3.1.58.SPA Protocol: scp Server: 192.168.1.1 Userid: Path: Downloaded Image Size (KB): 853688 State: Downloading Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)
Step 15	After the new FXOS platform bundle image has successfully downloaded, upgrade the FXOS bundle: If necessary, return to firmware mode: up Make note of the version number for the FXOS platform bundle you are installing: show package Enter auto-install mode: scope auto-install Install the FXOS platform bundle: install platform platform-vers `version_number` `version_number` is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58). The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Enter yes to confirm that you want to proceed with verification. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. FXOS unpacks the bundle and upgrades/reloads the components. To monitor the upgrade process, see Monitor the Upgrade Progress.
Step 16	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 17	Download the new ASA software image to the chassis: Enter Security Services mode: top scope ssa Enter Application Software mode: scope app-software Download the logical device software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server`/`path` scp://`username`@`server`/`path` sftp://`username`@`server`/`path` tftp://`server`:`port-num`/`path` To monitor the download process: show download-task To view the downloaded applications: up show app Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step. Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope ssa Firepower-chassis /ssa # scope app-software Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp Firepower-chassis /ssa/app-software # show download-task Downloads for Application Software: File Name Protocol Server Userid State ------------------------------ ---------- -------------------- --------------- ----- cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded Firepower-chassis /ssa/app-software # up Firepower-chassis /ssa # show app Application: Name Version Description Author Deploy Type CSP Type Is Default App ---------- ---------- ----------- ---------- ----------- ----------- -------------- asa 9.4.1.41 N/A Native Application No asa 9.4.1.65 N/A Native Application Yes
Step 18	Upgrade the ASA logical device image: Enter Security Services mode: top scope ssa Set the scope to the security module you are updating: scope slot`slot_number` Set the scope to the ASA application: scope app-instance asa `instance_name` Set the Startup version to the version you want to update: set startup-version `version_number` Commit the configuration: commit-buffer Commits the transaction to the system configuration. The application image is updated and the application restarts.
Step 19	To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.
Step 20	If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt Enabled, you can return them to active status on their designated units using the ASDM Monitoring > Failover > Failover Group # pane.

Upgrade FXOS and an ASA Inter-chassis Cluster

Use the FXOS CLI or Firepower Chassis Manager to upgrade FXOS and ASA on all chassis in an inter-chassis cluster.

Upgrade FXOS and an ASA Inter-chassis Cluster Using Secure Firewall Chassis Manager

The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

Download the FXOS and ASA software packages to which you are upgrading.
Back up your FXOS and ASA configurations.

Procedure

Step 1	Determine which chassis has the control node. You will upgrade this chassis last. Connect to Secure Firewall chassis manager. Choose Logical Devices. Click the plus sign (+) to see the attributes for the security modules included in the cluster. Verify that the control node is on this chassis. There should be an ASA instance with CLUSTER-ROLE set to "Control".
Step 2	Connect to Secure Firewall chassis manager on a chassis in the cluster that does not have the control node.
Step 3	Upload the new FXOS platform bundle image and ASA software image: In Secure Firewall chassis manager, choose System > Updates. The Available Updates area shows a list of the packages available on the chassis. Click Upload Image. Click Choose File to navigate to and select the image that you want to upload. Click Upload. The selected image is uploaded to the chassis. Wait for the images to successfully upload before continuing.
Step 4	Upgrade the FXOS bundle: Choose System > Updates. Click the Upgrade icon for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Click Yes to confirm that you want to proceed with installation. FXOS unpacks the bundle and upgrades/reloads the components.
Step 5	Secure Firewall chassis manager will be unavailable during upgrade. You can monitor the upgrade process using the FXOS CLI (see Monitor the Upgrade Progress).
Step 6	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 7	Upgrade the ASA logical device image on each security module: Choose Logical Devices. The Logical Devices page opens to show a list of configured logical devices on the chassis. Click the Set Version icon for the logical device that you want to update to open the Update Image Version dialog box. For the New Version, choose the software version to which you want to update. Click OK.
Step 8	After the upgrade process finishes, verify that the applications are online and have upgraded successfully: Choose Logical Devices. Verify the application version and operational status.
Step 9	Repeat steps Step 2-Step 8 for all remaining chassis in the cluster that do not have the control node.
Step 10	After all chassis in the cluster that do not have the control node have been upgraded, repeat steps Step 2-Step 8 on the chassis with the control node. A new control node will be chosen from one of the previously upgraded chassis.
Step 11	For distributed VPN clustering mode, after the cluster has stabilized you can redistribute active sessions among all modules in the cluster using the ASA console on the control node. cluster redistribute vpn-sessiondb

What to do next

Set the chassis Site ID. For more information about how to set the chassis Site ID, see the Inter-Site Clustering topic in Deploying a Cluster for ASA on the Firepower 4100/9300 for Scalability and High Availability on Cisco.com.

Upgrade FXOS and an ASA Inter-chassis Cluster Using the FXOS CLI

The upgrade process can take up to 45 minutes per chassis. Please plan your upgrade activity accordingly.

Before you begin

Before beginning your upgrade, make sure that you have already done the following:

Download the FXOS and ASA software packages to which you are upgrading.
Back up your FXOS and ASA configurations.
Collect the following information that you will need to download software images to the chassis:
- IP address and authentication credentials for the server from which you are copying the image.
- Fully qualified name of the image file.

Procedure

Step 1	Determine which chassis has the control node. You will upgrade this chassis last. Connect to the FXOS CLI. Verify that the control node is on this chassis. There should be an ASA instance with Cluster Role set to “Control”: scope ssa show app-instance
Step 2	Connect to the FXOS CLI on a chassis in the cluster that does not have the control node.
Step 3	Download the new FXOS platform bundle image to the chassis: Enter firmware mode: scope firmware Download the FXOS platform bundle software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server/` `path/` `image_name` scp://`username`@`server/` `path/` `image_name` sftp://`username`@`server/` `path/` `image_name` tftp://`server:` `port-num/` `path/` `image_name` To monitor the download process: scope download-task `image_name` show detail Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope firmware Firepower-chassis /firmware # download image scp://user@192.168.1.1/images/fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware # scope download-task fxos-k9.2.3.1.58.SPA Firepower-chassis /firmware/download-task # show detail Download task: File Name: fxos-k9.2.3.1.58.SPA Protocol: scp Server: 192.168.1.1 Userid: Path: Downloaded Image Size (KB): 853688 State: Downloading Current Task: downloading image fxos-k9.2.3.1.58.SPA from 192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)
Step 4	Upgrade the FXOS bundle: If necessary, return to firmware mode: top scope firmware Make note of the version number for the FXOS platform bundle you are installing: show package Enter auto-install mode: scope auto-install Install the FXOS platform bundle: install platform platform-vers `version_number` `version_number` is the version number of the FXOS platform bundle you are installing--for example, 2.3(1.58). The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently-installed applications and the specified FXOS platform software package. It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade. As long as the ASA version is listed as upgradeable in the compatibility table, you can ignore these warnings. Enter yes to confirm that you want to proceed with verification. Enter yes to confirm that you want to proceed with installation, or enter no to cancel the installation. FXOS unpacks the bundle and upgrades/reloads the components. To monitor the upgrade process, see Monitor the Upgrade Progress.
Step 5	After all components have successfully upgraded, verify the status of the security modules/security engine and any installed applications before continuing (see Verify the Installation).
Step 6	Download the new ASA software image to the chassis: Enter Security Services mode: top scope ssa Enter Application Software mode: scope app-software Download the logical device software image: download image `URL` Specify the URL for the file being imported using one of the following syntax: ftp://`username`@`server`/`path` scp://`username`@`server`/`path` sftp://`username`@`server`/`path` tftp://`server`:`port-num`/`path` To monitor the download process: show download-task To view the downloaded applications: up show app Make note of the ASA version for the software package you downloaded. You will need to use the exact version string to enable the application in a later step. Example: The following example copies an image using the SCP protocol: Firepower-chassis # scope ssa Firepower-chassis /ssa # scope app-software Firepower-chassis /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp Firepower-chassis /ssa/app-software # show download-task Downloads for Application Software: File Name Protocol Server Userid State ------------------------------ ---------- -------------------- --------------- ----- cisco-asa.9.4.1.65.csp Scp 192.168.1.1 user Downloaded Firepower-chassis /ssa/app-software # up Firepower-chassis /ssa # show app Application: Name Version Description Author Deploy Type CSP Type Is Default App ---------- ---------- ----------- ---------- ----------- ----------- -------------- asa 9.4.1.41 N/A Native Application No asa 9.4.1.65 N/A Native Application Yes
Step 7	Upgrade the ASA logical device image: Enter Security Services mode: top scope ssa Set the scope to the security module you are updating: scope slot`slot_number` Set the scope to the ASA application: scope app-instance asa `instance_name` Set the Startup version to the version you want to update: set startup-version `version_number` Commit the configuration: commit-buffer Commits the transaction to the system configuration. The application image is updated and the application restarts.
Step 8	To verify the status of the security modules/security engine and any installed applications, see Verify the Installation.
Step 9	Repeat steps Step 2-Step 8 for all remaining chassis in the cluster that do not have the control node.
Step 10	After all chassis in the cluster that do not have the control node have been upgraded, repeat steps Step 2-Step 8 on the chassis with the control node. A new control node will be chosen from one of the previously upgraded chassis.
Step 11	For distributed VPN clustering mode, after the cluster has stabilized you can redistribute active sessions among all modules in the cluster using the ASA console on the control node. cluster redistribute vpn-sessiondb

What to do next

Monitor the Upgrade Progress

You can monitor the upgrade process using the FXOS CLI:

Procedure

Step 1

Connect to the FXOS CLI.

Step 2

Enter scope system .

Step 3

Enter show firmware monitor .

Step 4

Wait for all components (FPRM, Fabric Interconnect, and Chassis) to show Upgrade-Status: Ready.

Note

After the FPRM component is upgraded, the system will reboot and then continue upgrading the other components.

Example

Firepower-chassis# scope system
Firepower-chassis /system # show firmware monitor 
FPRM:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.3(1.58)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready
    Server 2:
        Package-Vers: 2.3(1.58)
        Upgrade-Status: Ready

Verify the Installation

Enter the following commands to verify the status of the security modules/security engine and any installed applications:

Procedure

Step 1	Connect to the FXOS CLI.
Step 2	Enter top .
Step 3	Enter scope ssa .
Step 4	Enter show slot .
Step 5	Verify that the Admin State is `Ok` and the Oper State is `Online` for the security engine on a Firepower 4100 series appliance or for any security modules installed on a Firepower 9300 appliance. Example:
Step 6	Enter show app-instance .
Step 7	Verify that the Oper State is `Online` for any logical devices installed on the chassis and that the correct version is listed. If this chassis is part of a cluster, verify that the cluster operational state is “In-Cluster” for all security modules installed in the chassis. Also, verify that the control unit is not on the chassis for which you are upgrading—there should not be any instance with Cluster Role set to “Master”.

Example

Firepower-chassis# scope ssa
Firepower-chassis /ssa # show slot

Slot:
    Slot ID    Log Level Admin State  Oper State
    ---------- --------- ------------ ----------
    1          Info      Ok           Online
    2          Info      Ok           Online
    3          Info      Ok           Not Available
Firepower-chassis /ssa #
Firepower-chassis /ssa # show app-instance
App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Cluster State   Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- --------------- ------------
asa        asa1       1          Enabled     Online           9.10.0.85       9.10.0.85       Not Applicable  None
asa        asa2       2          Enabled     Online           9.10.0.85       9.10.0.85       Not Applicable  None
Firepower-chassis /ssa #

Upgrade the ASA 5500-X, ASA Virtual, ASASM, or ISA 3000

This document describes how to plan and implement an ASA and ASDM upgrade for the ASA 5500-X, ASA virtual, ASASM, or ISA 3000 for standalone, failover, or clustering deployments.

Upgrade a Standalone Unit

Use the CLI or ASDM to upgrade the standalone unit.

Upgrade a Standalone Unit Using the CLI

This section describes how to install the ASDM and ASA images, and also when to upgrade the ASA FirePOWER module.

Before you begin

This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command reference.

Procedure

Step 1

In privileged EXEC mode, copy the ASA software to flash memory.

copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


ciscoasa# copy ftp://jcrichton:aeryn@10.1.1.1/asa-9-12-1-smp-k8.bin disk0:/asa-9-12-1-smp-k8.bin

Step 2

Copy the ASDM image to flash memory.

copy ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name

Example:


ciscoasa# copy ftp://jcrichton:aeryn@10.1.1.1/asdm-7121.bin disk0:/asdm-7121.bin

Step 3

Access global configuration mode.

configure terminal

Example:


ciscoasa# configure terminal
ciscoasa(config)#

Step 4

Show the current boot images configured (up to 4):

show running-config boot system

The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must remove any existing entries, and enter the image URLs in the order desired, according to the next steps.

Example:


ciscoasa(config)# show running-config boot system
boot system disk0:/cdisk.bin
boot system disk0:/asa931-smp-k8.bin

Step 5

Remove any existing boot image configurations so that you can enter the new boot image as your first choice:

no boot system diskn:/[path/]asa_image_name

Example:


ciscoasa(config)# no boot system disk0:/cdisk.bin
ciscoasa(config)# no boot system disk0:/asa931-smp-k8.bin

Step 6

Set the ASA image to boot (the one you just uploaded):

boot system diskn:/[path/]asa_image_name

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed.

Example:


ciscoasa(config)# boot system disk0:/asa-9-12-1-smp-k8.bin

Step 7

Set the ASDM image to use (the one you just uploaded):

asdm image diskn:/[path/]asdm_image_name

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Example:


ciscoasa(config)# asdm image disk0:/asdm-7121.bin

Step 8

Save the new settings to the startup configuration:

write memory

Step 9

Reload the ASA:

reload

Step 10

If you are upgrading the ASA FirePOWER module, disable the ASA REST API or else the upgrade will fail.

no rest-api agent

You can reenable it after the upgrade:

rest-api agent

Note

The ASA 5506-X series does not support the ASA REST API if you are running the FirePOWER module Version 6.0 or later.

Step 11

Upgrade the ASA FirePOWER module.

Upgrade a Standalone Unit from Your Local Computer Using ASDM

The Upgrade Software from Local Computer tool lets you upload an image file from your computer to the flash file system to upgrade the ASA.

Procedure

Step 1

In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.

The Upgrade Software dialog box appears.

Step 2

From the Image to Upload drop-down list, choose ASDM.

Step 3

In the Local File Path field, click Browse Local Files to find the file on your PC.

Step 4

In the Flash File System Path field, click Browse Flash to find the directory or file in the flash file system.

Step 5

Click Upload Image.

The uploading process might take a few minutes.

Step 6

You are prompted to set this image as the ASDM image. Click Yes.

Step 7

You are reminded to exit ASDM and save the configuration. Click OK.

You exit the Upgrade tool. Note: You will save the configuration and exit and reconnect to ASDM after you upgrade the ASA software.

Step 8

Repeat these steps, choosing ASA from the Image to Upload drop-down list. You can also use this procedure to upload other file types.

Step 9

Choose Tools > System Reload to reload the ASA.

A new window appears that asks you to verify the details of the reload.

Click the Save the running configuration at the time of reload radio button (the default).
Choose a time to reload (for example, Now, the default).
Click Schedule Reload.

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

Step 10

After the ASA reloads, restart ASDM.

You can check the reload status from a console port, or you can wait a few minutes and try to connect using ASDM until you are successful.

Step 11

If you are upgrading an ASA FirePOWER module, disable the ASA REST API by choosing Tools > Command Line Interface, and entering no rest-api agent .

If you do not disable the REST API, the ASA FirePOWER module upgrade will fail. You can reenable it after the upgrade:

rest-api agent

Note

The ASA 5506-X series does not support the ASA REST API if you are running the FirePOWER module Version 6.0 or later.

Step 12

Upgrade the ASA FirePOWER module.

Upgrade a Standalone Unit Using the ASDM Cisco.com Wizard

The Upgrade Software from Cisco.com Wizard lets you automatically upgrade the ASDM and ASA to more current versions.

In this wizard, you can do the following:

Choose an ASA image file and/or ASDM image file to upgrade.

Note

Review the upgrade changes that you have made.
Download the image or images and install them.
Review the status of the installation.
If the installation completed successfully, reload the ASA to save the configuration and complete the upgrade.

Before you begin

Procedure

Step 1

Choose Tools > Check for ASA/ASDM Updates.

In multiple context mode, access this menu from the System.

The Cisco.com Authentication dialog box appears.

Step 2

Enter your Cisco.com username and password, and then click Login.

The Cisco.com Upgrade Wizard appears.

Note

If there is no upgrade available, a dialog box appears. Click OK to exit the wizard.

Step 3

Click Next to display the Select Software screen.

The current ASA version and ASDM version appear.

Step 4

To upgrade the ASA version and ASDM version, perform the following steps:

In the ASA area, check the Upgrade to check box, and then choose an ASA version to which you want to upgrade from the drop-down list.
In the ASDM area, check the Upgrade to check box, and then choose an ASDM version to which you want to upgrade from the drop-down list.

Step 5

Click Next to display the Review Changes screen.

Step 6

Verify the following items:

The ASA image file and/or ASDM image file that you have downloaded are the correct ones.
The ASA image file and/or ASDM image file that you want to upload are the correct ones.
The correct ASA boot image has been selected.

Step 7

Click Next to start the upgrade installation.

You can then view the status of the upgrade installation as it progresses.

The Results screen appears, which provides additional details, such as the upgrade installation status (success or failure).

Step 8

If the upgrade installation succeeded, for the upgrade versions to take effect, check the Save configuration and reload device now check box to restart the ASA, and restart ASDM.

Step 9

Click Finish to exit the wizard and save the configuration changes that you have made.

Note

To upgrade to the next higher version, if any, you must restart the wizard.

Step 10

After the ASA reloads, restart ASDM.

You can check the reload status from a console port, or you can wait a few minutes and try to connect using ASDM until you are successful.

Step 11

If you are upgrading an ASA FirePOWER module, disable the ASA REST API by choosing Tools > Command Line Interface, and entering no rest-api agent .

If you do not disable the REST API, the ASA FirePOWER module upgrade will fail. You can reenable it after the upgrade:

rest-api agent

Note

The ASA 5506-X series does not support the ASA REST API if you are running the FirePOWER module Version 6.0 or later.

Step 12

Upgrade the ASA FirePOWER module.

Upgrade an Active/Standby Failover Pair

Use the CLI or ASDM to upgrade the Active/Standby failover pair for a zero downtime upgrade.

Upgrade an Active/Standby Failover Pair Using the CLI

To upgrade the Active/Standby failover pair, perform the following steps.

Before you begin

Perform these steps on the active unit. For SSH access, connect to the active IP address; the active unit always owns this IP address. When you connect to the CLI, determine the failover status by looking at the ASA prompt; you can configure the ASA prompt to show the failover status and priority (primary or secondary), which is useful to determine which unit you are connected to. See the prompt command. Alternatively, enter the show failover command to view this unit's status and priority (primary or secondary).
This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command reference.

Procedure

Step 1

On the active unit in privileged EXEC mode, copy the ASA software to the active unit flash memory:

copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/act# copy ftp://jcrichton:aeryn@10.1.1.1/asa9-15-1-smp-k8.bin disk0:/asa9-15-1-smp-k8.bin

Step 2

Copy the software to the standby unit; be sure to specify the same path as for the active unit:

failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/act# failover exec mate copy /noconfirm ftp://jcrichton:aeryn@10.1.1.1/asa9-15-1-smp-k8.bin disk0:/asa9-15-1-smp-k8.bin

Step 3

Copy the ASDM image to the active unit flash memory:

copy ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name

Example:


asa/act# copy ftp://jcrichton:aeryn@10.1.1.1/asdm-77171417151.bin disk0:/asdm-77171417151.bin

Step 4

Copy the ASDM image to the standby unit; be sure to specify the same path as for the active unit:

failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name

Example:


asa/act# failover exec mate copy /noconfirm ftp://jcrichton:aeryn@10.1.1.1/asdm-77171417151.bin disk0:/asdm-77171417151.bin

Step 5

If you are not already in global configuration mode, access global configuration mode:

configure terminal

Step 6

Show the current boot images configured (up to 4):

show running-config boot system

Example:


asa/act(config)# show running-config boot system
boot system disk0:/cdisk.bin
boot system disk0:/asa931-smp-k8.bin

Step 7

Remove any existing boot image configurations so that you can enter the new boot image as your first choice:

no boot system diskn:/[path/]asa_image_name

Example:


asa/act(config)# no boot system disk0:/cdisk.bin
asa/act(config)# no boot system disk0:/asa931-smp-k8.bin

Step 8

Set the ASA image to boot (the one you just uploaded):

boot system diskn:/[path/]asa_image_name

Example:


asa/act(config)# boot system disk0://asa9-15-1-smp-k8.bin

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed.

Step 9

Set the ASDM image to use (the one you just uploaded):

asdm image diskn:/[path/]asdm_image_name

Example:


asa/act(config)# asdm image disk0:/asdm-77171417151.bin

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 10

Save the new settings to the startup configuration:

write memory

These configuration changes are automatically saved on the standby unit.

Step 11

If you are upgrading ASA FirePOWER modules, disable the ASA REST API or else the upgrade will fail.

no rest-api agent

Step 12

Upgrade the ASA FirePOWER module on the standby unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the standby management IP address. Wait for the upgrade to complete.

Step 13

Reload the standby unit to boot the new image:

failover reload-standby

Wait for the standby unit to finish loading. Use the show failover command to verify that the standby unit is in the Standby Ready state.

Step 14

Force the active unit to fail over to the standby unit.

no failover active

If you are disconnected from your SSH session, reconnect to the main IP address, now on the new active/former standby unit.

Step 15

Upgrade the ASA FirePOWER module on the former active unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the standby management IP address. Wait for the upgrade to complete.

Step 16

From the new active unit, reload the former active unit (now the new standby unit).

failover reload-standby

Example:


asa/act# failover reload-standby

Note

If you are connected to the former active unit console port, you should instead enter the reload command to reload the former active unit.

Upgrade an Active/Standby Failover Pair Using ASDM

To upgrade the Active/Standby failover pair, perform the following steps.

Before you begin

Place the ASA and ASDM images on your local management computer.

Procedure

Step 1	Launch ASDM on the standby unit by connecting to the standby IP address.
Step 2	In the main ASDM application window, choose Tools > Upgrade Software from Local Computer. The Upgrade Software dialog box appears.
Step 3	From the Image to Upload drop-down list, choose ASDM.
Step 4	In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.
Step 5	In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.
Step 6	Click Upload Image. The uploading process might take a few minutes. When you are prompted to set this image as the ASDM image, click No. You exit the Upgrade tool.
Step 7	Repeat these steps, choosing ASA from the Image to Upload drop-down list. When you are prompted to set this image as the ASA image, click No. You exit the Upgrade tool.
Step 8	Connect ASDM to the active unit by connecting to the main IP address, and upload the ASDM software, using the same file location you used on the standby unit.
Step 9	When you are prompted to set the image as the ASDM image, click Yes. You are reminded to exit ASDM and save the configuration. Click OK. You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.
Step 10	Upload the ASA software, using the same file location you used for the standby unit.
Step 11	When you are prompted to set the image as the ASA image, click Yes. You are reminded to reload the ASA to use the new image. Click OK. You exit the Upgrade tool.
Step 12	Click the Save icon on the toolbar to save your configuration changes. These configuration changes are automatically saved on the standby unit.
Step 13	If you are upgrading ASA FirePOWER modules, disable the ASA REST API by choosing Tools > Command Line Interface, and entering no rest-api enable . If you do not disable the REST API, the ASA FirePOWER module upgrade will fail.
Step 14	Upgrade the ASA FirePOWER module on the standby unit. For an ASA FirePOWER module managed by ASDM, connect ASDM to the standby management IP address. Wait for the upgrade to complete, and then connect ASDM back to the active unit.
Step 15	Reload the standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Reload Standby. Stay on the System pane to monitor when the standby unit reloads.
Step 16	After the standby unit reloads, force the active unit to fail over to the standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Make Standby. ASDM will automatically reconnect to the new active unit.
Step 17	Upgrade the ASA FirePOWER module on the former active unit. For an ASA FirePOWER module managed by ASDM, connect ASDM to the standby management IP address. Wait for the upgrade to complete, and then connect ASDM back to the active unit.
Step 18	Reload the (new) standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Reload Standby.

Upgrade an Active/Active Failover Pair

Use the CLI or ASDM to upgrade the Active/Active failover pair for a zero downtime upgrade.

Upgrade an Active/Active Failover Pair Using the CLI

To upgrade two units in an Active/Active failover configuration, perform the following steps.

Before you begin

Perform these steps on the primary unit.
Perform these steps in the system execution space.
This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command reference.

Procedure

Step 1

On the primary unit in privileged EXEC mode, copy the ASA software to flash memory:

copy ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/act/pri# copy ftp://jcrichton:aeryn@10.1.1.1/asa9-15-1-smp-k8.bin disk0:/asa9-15-1-smp-k8.bin

Step 2

Copy the software to the secondary unit; be sure to specify the same path as for the primary unit:

failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/act/pri# failover exec mate copy /noconfirm ftp://jcrichton:aeryn@10.1.1.1/asa9-15-1-smp-k8.bin disk0:/asa9-15-1-smp-k8.bin

Step 3

Copy the ASDM image to the primary unit flash memory:

copy ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name

Example:


asa/act/pri# ciscoasa# copy ftp://jcrichton:aeryn@10.1.1.1/asdm-77171417151.bin disk0:/asdm-77171417151.bin

Step 4

Copy the ASDM image to the secondary unit; be sure to specify the same path as for the primary unit:

failover exec mate copy /noconfirm ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name

Example:


asa/act/pri# failover exec mate copy /noconfirm ftp://jcrichton:aeryn@10.1.1.1/asdm-77171417151.bin disk0:/asdm-77171417151.bin

Step 5

If you are not already in global configuration mode, access global configuration mode:

configure terminal

Step 6

Show the current boot images configured (up to 4):

show running-config boot system

Example:


asa/act/pri(config)# show running-config boot system
boot system disk0:/cdisk.bin
boot system disk0:/asa931-smp-k8.bin

Step 7

Remove any existing boot image configurations so that you can enter the new boot image as your first choice:

no boot system diskn:/[path/]asa_image_name

Example:


asa/act/pri(config)# no boot system disk0:/cdisk.bin
asa/act/pri(config)# no boot system disk0:/asa931-smp-k8.bin

Step 8

Set the ASA image to boot (the one you just uploaded):

boot system diskn:/[path/]asa_image_name

Example:


asa/act/pri(config)# boot system disk0://asa9-15-1-smp-k8.bin

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed.

Step 9

Set the ASDM image to use (the one you just uploaded):

asdm image diskn:/[path/]asdm_image_name

Example:


asa/act/pri(config)# asdm image disk0:/asdm-77171417151.bin

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 10

Save the new settings to the startup configuration:

write memory

These configuration changes are automatically saved on the secondary unit.

Step 11

If you are upgrading ASA FirePOWER modules, disable the ASA REST API or else the upgrade will fail.

no rest-api agent

Step 12

Make both failover groups active on the primary unit:

failover active group 1

failover active group 2

Example:


asa/act/pri(config)# failover active group 1
asa/act/pri(config)# failover active group 2

Step 13

Upgrade the ASA FirePOWER module on the secondary unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the failover group 1 or 2 standby management IP address. Wait for the upgrade to complete.

Step 14

Reload the secondary unit to boot the new image:

failover reload-standby

Wait for the secondary unit to finish loading. Use the show failover command to verify that both failover groups are in the Standby Ready state.

Step 15

Force both failover groups to become active on the secondary unit:

no failover active group 1

no failover active group 2

Example:


asa/act/pri(config)# no failover active group 1
asa/act/pri(config)# no failover active group 2
asa/stby/pri(config)#

If you are disconnected from your SSH session, reconnect to the failover group 1 IP address, now on the secondary unit.

Step 16

Upgrade the ASA FirePOWER module on the primary unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the failover group 1 or 2 standby management IP address. Wait for the upgrade to complete.

Step 17

Reload the primary unit:

failover reload-standby

Example:


asa/act/sec# failover reload-standby

Note

If you are connected to the primary unit console port, you should instead enter the reload command to reload the primary unit.

You may be disconnected from your SSH session.

Step 18

If the failover groups are configured with the preempt command, they automatically become active on their designated unit after the preempt delay has passed.

Upgrade an Active/Active Failover Pair Using ASDM

To upgrade two units in an Active/Active failover configuration, perform the following steps.

Before you begin

Perform these steps in the system execution space.
Place the ASA and ASDM images on your local management computer.

Procedure

Step 1	Launch ASDM on the secondary unit by connecting to the management address in failover group 2.
Step 2	In the main ASDM application window, choose Tools > Upgrade Software from Local Computer. The Upgrade Software dialog box appears.
Step 3	From the Image to Upload drop-down list, choose ASDM.
Step 4	In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.
Step 5	In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.
Step 6	Click Upload Image. The uploading process might take a few minutes. When you are prompted to set this image as the ASDM image, click No. You exit the Upgrade tool.
Step 7	Repeat these steps, choosing ASA from the Image to Upload drop-down list. When you are prompted to set this image as the ASA image, click No. You exit the Upgrade tool.
Step 8	Connect ASDM to the primary unit by connecting to the management IP address in failover group 1, and upload the ASDM software, using the same file location you used on the secondary unit.
Step 9	When you are prompted to set the image as the ASDM image, click Yes. You are reminded to exit ASDM and save the configuration. Click OK. You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.
Step 10	Upload the ASA software, using the same file location you used for the secondary unit.
Step 11	When you are prompted to set the image as the ASA image, click Yes. You are reminded to reload the ASA to use the new image. Click OK. You exit the Upgrade tool.
Step 12	Click the Save icon on the toolbar to save your configuration changes. These configuration changes are automatically saved on the secondary unit.
Step 13	If you are upgrading ASA FirePOWER modules, disable the ASA REST API by choosing Tools > Command Line Interface, and entering no rest-api enable . If you do not disable the REST API, the ASA FirePOWER module upgrade will fail.
Step 14	Make both failover groups active on the primary unit by choosing Monitoring > Failover > Failover Group #, where # is the number of the failover group you want to move to the primary unit, and clicking Make Active.
Step 15	Upgrade the ASA FirePOWER module on the secondary unit. For an ASA FirePOWER module managed by ASDM, connect ASDM to the failover group 1 or 2 standby management IP address. Wait for the upgrade to complete, and then connect ASDM back to the primary unit.
Step 16	Reload the secondary unit by choosing Monitoring > Failover > System, and clicking Reload Standby. Stay on the System pane to monitor when the secondary unit reloads.
Step 17	After the secondary unit comes up, make both failover groups active on the secondary unit by choosing Monitoring > Failover > Failover Group #, where # is the number of the failover group you want to move to the secondary unit, and clicking Make Standby. ASDM will automatically reconnect to the failover group 1 IP address on the secondary unit.
Step 18	Upgrade the ASA FirePOWER module on the primary unit. For an ASA FirePOWER module managed by ASDM, connect ASDM to the failover group 1 or 2 standby management IP address. Wait for the upgrade to complete, and then connect ASDM back to the secondary unit.
Step 19	Reload the primary unit by choosing Monitoring > Failover > System, and clicking Reload Standby.
Step 20	If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. ASDM will automatically reconnect to the failover group 1 IP address on the primary unit.

Upgrade an ASA Cluster

Use the CLI or ASDM to upgrade the ASA Cluster for a zero downtime upgrade.

Upgrade an ASA Cluster Using the CLI

To upgrade all units in an ASA cluster, perform the following steps. This procedure uses FTP. For TFTP, HTTP, or other server types, see the copy command in the ASA command reference.

Before you begin

Perform these steps on the control unit. If you are also upgrading the ASA FirePOWER module, then you need console or ASDM access on each data unit. You can configure the ASA prompt to show the cluster unit and state (control or data), which is useful to determine which unit you are connected to. See the prompt command. Alternatively, enter the show cluster info command to view each unit's role.
You must use the console port; you cannot enable or disable clustering from a remote CLI connection.
Perform these steps in the system execution space for multiple context mode.

Procedure

Step 1

On the control unit in privileged EXEC mode, copy the ASA software to all units in the cluster.

cluster exec copy /noconfirm ftp://[[user[:password]@]server[/path]/asa_image_name diskn:/[path/]asa_image_name

Example:


asa/unit1/master# cluster exec copy /noconfirm 
ftp://jcrichton:aeryn@10.1.1.1/asa9-15-1-smp-k8.bin disk0:/asa9-15-1-smp-k8.bin

Step 2

Copy the ASDM image to all units in the cluster:

cluster exec copy /noconfirm ftp://[[user[:password]@]server[/path]/asdm_image_name diskn:/[path/]asdm_image_name

Example:


asa/unit1/master# cluster exec copy /noconfirm ftp://jcrichton:aeryn@10.1.1.1/asdm-77171417151.bin disk0:/asdm-77171417151.bin

Step 3

If you are not already in global configuration mode, access it now.

configure terminal

Example:


asa/unit1/master# configure terminal
asa/unit1/master(config)#

Step 4

Show the current boot images configured (up to 4).

show running-config boot system

Example:


asa/unit1/master(config)# show running-config boot system
boot system disk0:/cdisk.bin
boot system disk0:/asa931-smp-k8.bin

Step 5

Remove any existing boot image configurations so that you can enter the new boot image as your first choice:

no boot system diskn:/[path/]asa_image_name

Example:


asa/unit1/master(config)# no boot system disk0:/cdisk.bin
asa/unit1/master(config)# no boot system disk0:/asa931-smp-k8.bin

Step 6

Set the ASA image to boot (the one you just uploaded):

boot system diskn:/[path/]asa_image_name

Example:


asa/unit1/master(config)# boot system disk0://asa9-15-1-smp-k8.bin

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed.

Step 7

Set the ASDM image to use (the one you just uploaded):

asdm image diskn:/[path/]asdm_image_name

Example:


asa/unit1/master(config)# asdm image disk0:/asdm-77171417151.bin

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 8

Save the new settings to the startup configuration:

write memory

These configuration changes are automatically saved on the data units.

Step 9

If you are upgrading ASA FirePOWER modules, disable the ASA REST API or else the ASA FirePOWER module upgrade will fail.

no rest-api agent

Step 10

If you are upgrading ASA FirePOWER modules that are managed by ASDM, you will need to connect ASDM to the individual management IP addresses, so you need to note the IP addresses for each unit.

show running-config interface management_interface_id

Note the cluster-pool poolname used.

show ip[v6] local pool poolname

Note the cluster unit IP addresses.

Example:


asa/unit2/slave# show running-config interface gigabitethernet0/0
!
interface GigabitEthernet0/0
 management-only
 nameif inside
 security-level 100
 ip address 10.86.118.1 255.255.252.0 cluster-pool inside-pool
asa/unit2/slave# show ip local pool inside-pool
Begin           End             Mask            Free     Held     In use
10.86.118.16    10.86.118.17    255.255.252.0       0        0        2

Cluster Unit                    IP Address Allocated
unit2                           10.86.118.16
unit1                           10.86.118.17
asa1/unit2/slave#

Step 11

Upgrade the data units.

Choose the procedure below depending on whether you are also upgrading ASA FirePOWER modules. The ASA FirePOWER procedures minimize the number of ASA reloads when also upgrading the ASA FirePOWER module. You can choose to use the data Console or ASDM for these procedures. You may want to use ASDM instead of the Console if you do not have ready access to all of the console ports but can reach ASDM over the network.

Note

During the upgrade process, never use the cluster master unit command to force a data unit to become control; you can cause network connectivity and cluster stability-related problems. You must upgrade and reload all data units first, and then continue with this procedure to ensure a smooth transition from the current control unit to a new control unit.

If you do not have ASA FirePOWER module upgrades:

On the control unit, to view member names, enter cluster exec unit ? , or enter the show cluster info command.
Reload a data unit.

cluster exec unit data-unit reload noconfirm
Example:
```
asa/unit1/master# cluster exec unit unit2 reload noconfirm
```
Repeat for each data unit.

To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin the cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a unit rejoins the cluster, enter show cluster info .

If you also have ASA FirePOWER module upgrades (using the data Console):

Connect to the console port of a data unit, and enter global configuration mode.

enable

configure terminal
Example:
```
asa/unit2/slave> enable
Password: 
asa/unit2/slave# configure terminal
asa/unit2/slave(config)# 
```
Disable clustering.

cluster group name

no enable

Do not save this configuration; you want clustering to be enabled when you reload. You need to disable clustering to avoid multiple failures and rejoins during the upgrade process; this unit should only rejoin after all of the upgrading and reloading is complete.
Example:
```
asa/unit2/slave(config)# cluster group cluster1
asa/unit2/slave(cfg-cluster)# no enable
Cluster disable is performing cleanup..done.
All data interfaces have been shutdown due to clustering being disabled. To recover either enable clustering or remove cluster group configuration.

Cluster unit unit2 transitioned from SLAVE to DISABLED
asa/unit2/ClusterDisabled(cfg-cluster)#                        
```
Upgrade the ASA FirePOWER module on this data unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the individual management IP address that you noted earlier. Wait for the upgrade to complete.
Reload the data unit.

reload noconfirm
Repeat for each data unit.

To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin the cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a unit rejoins the cluster, enter show cluster info .

If you also have ASA FirePOWER module upgrades (using ASDM):

Connect ASDM to the individual management IP address of this data unit that you noted earlier.
Choose Configuration > Device ManagementHigh Availability and Scalability > ASA Cluster > Cluster Configuration > .

Uncheck the Participate in ASA cluster check box.

You need to disable clustering to avoid multiple failures and rejoins during the upgrade process; this unit should only rejoin after all of the upgrading and reloading is complete.

Do not uncheck the Configure ASA cluster settings check box; this action clears all cluster configuration, and also shuts down all interfaces including the management interface to which ASDM is connected. To restore connectivity in this case, you need to access the CLI at the console port.

Note

Some older versions of ASDM do not support disabling the cluster on this screen; in this case, use the Tools > Command Line Interface tool, click the Multiple Line radio button, and enter cluster group name and no enable . You can view the cluster group name in the Home > Device Dashboard > Device Information > ASA Cluster area.

Click Apply.
You are prompted to exit ASDM. Reconnect ASDM to the same IP address.
Upgrade the ASA FirePOWER module.

Wait for the upgrade to complete.
In ASDM, choose Tools > System Reload.
Click the Reload without saving the running configuration radio button.

You do not want to save the configuration; when this unit reloads, you want clustering to be enabled on it.
Click Schedule Reload.
Click Yes to continue the reload.
Repeat for each data unit.

To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin the cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a unit rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane on the control unit.

Step 12

Upgrade the control unit.

Disable clustering.

cluster group name

no enable

Wait for 5 minutes for a new control unit to be selected and traffic to stabilize.

Do not save this configuration; you want clustering to be enabled when you reload.

We recommend manually disabling cluster on the control unit if possible so that a new control unit can be elected as quickly and cleanly as possible.
Example:
```
asa/unit1/master(config)# cluster group cluster1
asa/unit1/master(cfg-cluster)# no enable
Cluster disable is performing cleanup..done.
All data interfaces have been shutdown due to clustering being disabled. To recover either enable clustering or remove cluster group configuration.

Cluster unit unit1 transitioned from MASTER to DISABLED
asa/unit1/ClusterDisabled(cfg-cluster)#                        
```
Upgrade the ASA FirePOWER module on this unit.

For an ASA FirePOWER module managed by ASDM, connect ASDM to the individual management IP address that you noted earlier. The main cluster IP address now belongs to the new control unit; this former control unit is still accessible on its individual management IP address.

Wait for the upgrade to complete.
Reload this unit.

reload noconfirm

When the former control unit rejoins the cluster, it will be a data unit.

Upgrade an ASA Cluster Using ASDM

To upgrade all units in an ASA cluster, perform the following steps.

Before you begin

Perform these steps on the control unit. If you are also upgrading the ASA FirePOWER module, then you need ASDM access to each data unit.
Perform these steps in the system execution space for multiple context mode.
Place the ASA and ASDM images on your local management computer.

Procedure

Step 1

Launch ASDM on the control unit by connecting to the main cluster IP address.

This IP address always stays with the control unit.

Step 2

In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.

The Upgrade Software from Local Computer dialog box appears.

Step 3

Click the All devices in the cluster radio button.

The Upgrade Software dialog box appears.

Step 4

From the Image to Upload drop-down list, choose ASDM.

Step 5

In the Local File Path field, click Browse Local Files to find the file on your computer.

Step 6

(Optional) In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.

By default, this field is prepopulated with the following path: disk0:/filename.

Step 7

Click Upload Image. The uploading process might take a few minutes.

Step 8

You are prompted to set this image as the ASDM image. Click Yes.

Step 9

You are reminded to exit ASDM and save the configuration. Click OK.

You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.

Step 10

Repeat these steps, choosing ASA from the Image to Upload drop-down list.

Step 11

Click the Save icon on the toolbar to save your configuration changes.

These configuration changes are automatically saved on the data units.

Step 12

Take note of the individual management IP addresses for each unit on Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Members so that you can connect ASDM directly to data units later.

Step 13

If you are upgrading ASA FirePOWER modules, disable the ASA REST API by choosing Tools > Command Line Interface, and entering no rest-api enable .

If you do not disable the REST API, the ASA FirePOWER module upgrade will fail.

Step 14

Upgrade the data units.

Choose the procedure below depending on whether you are also upgrading ASA FirePOWER modules. The ASA FirePOWER procedure minimizes the number of ASA reloads when also upgrading the ASA FirePOWER module.

Note

During the upgrade process, never change the control unit using the Monitoring > ASA Cluster > Cluster Summary page to force a data unit to become control; you can cause network connectivity and cluster stability-related problems. You must reload all data units first, and then continue with this procedure to ensure a smooth transition from the current control unit to a new control unit.

If you do not have ASA FirePOWER module upgrades:

On the control unit, choose Tools > System Reload.
Choose a data unit name from the Device drop-down list.
Click Schedule Reload.
Click Yes to continue the reload.
Repeat for each data unit.

To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin the cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a unit rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane.

If you also have ASA FirePOWER module upgrades:

On the control unit, choose Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Members.
Select the data unit that you want to upgrade, and click Delete.
Click Apply.
Exit ASDM, and connect ASDM to the data unit by connecting to its individual management IP address that you noted earlier.
Upgrade the ASA FirePOWER module.

Wait for the upgrade to complete.
In ASDM, choose Tools > System Reload.
Click the Reload without saving the running configuration radio button.

You do not want to save the configuration; when this unit reloads, you want clustering to be enabled on it.
Click Schedule Reload.
Click Yes to continue the reload.
Repeat for each data unit.

To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up and rejoin the cluster (approximately 5 minutes) before repeating these steps for the next unit. To view when a unit rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane.

Step 15

Upgrade the control unit.

In ASDM on the control unit, choose Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration pane.
Uncheck the Participate in ASA cluster check box, and click Apply.

You are prompted to exit ASDM.
Wait for up to 5 minutes for a new control unit to be selected and traffic to stabilize.

When the former control unit rejoins the cluster, it will be a data unit.
Re-connect ASDM to the former control unit by connecting to its individual management IP address that you noted earlier.

The main cluster IP address now belongs to the new control unit; this former control unit is still accessible on its individual management IP address.
Upgrade the ASA FirePOWER module.

Wait for the upgrade to complete.
Choose Tools > System Reload.
Click the Reload without saving the running configuration radio button.

You do not want to save the configuration; when this unit reloads, you want clustering to be enabled on it.
Click Schedule Reload.
Click Yes to continue the reload.

You are prompted to exit ASDM. Restart ASDM on the main cluster IP address; you will reconnect to the new control unit.

Cisco Secure Firewall ASA Upgrade Guide

Bias-Free Language

Results

Chapter: Upgrade the ASA

Upgrade the ASA

Upgrade the Firepower 1000/2100 and Secure Firewall 3100/4200

Upgrade the Firepower 1000, 2100 in Appliance Mode, and Secure Firewall 3100/4200

Upgrade a Standalone Unit

Upgrade a Standalone Unit Using the CLI

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Upgrade a Standalone Unit from Your Local Computer Using ASDM

Procedure

Upgrade a Standalone Unit Using the ASDM Cisco.com Wizard

Before you begin

Procedure

Upgrade an Active/Standby Failover Pair

Upgrade an Active/Standby Failover Pair Using the CLI

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Upgrade an Active/Standby Failover Pair Using ASDM

Procedure

Upgrade an Active/Active Failover Pair

Upgrade an Active/Active Failover Pair Using the CLI

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Upgrade an Active/Active Failover Pair Using ASDM

Before you begin

Procedure

Upgrade an ASA Cluster (Secure Firewall 3100/4200)

Upgrade an ASA Cluster Using the CLI (Secure Firewall 3100/4200)

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Upgrade an ASA Cluster Using ASDM (Secure Firewall 3100/4200)

Before you begin

Procedure

Upgrade the Firepower 2100 in Platform Mode

Upgrade a Standalone Unit

Upgrade a Standalone Unit Using the Firepower Chassis Manager

Procedure

Upgrade a Standalone Unit Using the FXOS CLI

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Upgrade an Active/Standby Failover Pair

Upgrade an Active/Standby Failover Pair Using the Firepower Chassis Manager

Before you begin

Procedure

Upgrade an Active/Standby Failover Pair Using the FXOS CLI

Before you begin