升級安全防火牆的ASA主用/備用故障切換對

下載選項

  • PDF     (1.5 MB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (1.1 MB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (1.2 MB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2024 年 2 月 2 日
文件 ID:221618

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本文檔介紹如何針對裝置模式下的Secure Firewall 1000、2100和Secure Firewall 3100/4200的故障切換部署升級ASA。

    必要條件

    需求

    思科建議您瞭解以下主題:

    • 思科安全防火牆威脅防禦。
    • 思科自適應安全裝置(ASA)配置。

    採用元件

    本檔案中的資訊是根據軟體版本:

    • 思科自適應安全裝置軟體版本9.14(4)
    • 思科自適應安全裝置軟體版本9.16(4)

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    設定

    驗證必要條件

    步驟 1.運行命令show fxos mode以驗證裝置是否處於裝置模式

    附註圖示

    注意:對於9.13及更低版本中的安全防火牆21XX,僅支援平台模式。在版本9.14及更高版本中,裝置模式是預設模式。

    ciscoasa# show fxos mode 
    Mode is currently set to appliance

    步驟 2.驗證相容性。

    請參閱Cisco安全防火牆ASA相容性檔案,驗證FTD硬體平台和安全防火牆ASA軟體之間的相容性。請參閱 

    Cisco Secure Firewall ASA相容性

    步驟 3.從Cisco Software Central下載升級軟體套件。

    附註圖示

    注意:對於安全防火牆1000/2100和安全防火牆3100/4200,您無法單獨安裝ASA或FXOS;這兩個映像都是捆綁包的一部分。

    請參閱連結標題,瞭解捆綁包中的ASA和FXOS版本。請參閱安全防火牆1000/2100和3100/4200 ASA和FXOS捆綁版本

    使用CLI升級

    步驟 1.重置ASDM映像。

    在全局配置模式下連線到主裝置並運行以下命令:

    ciscoasa(config)# asdm image disk0:/asdm.bin
ciscoasa(config)# exit
ciscoasa# copy running-config startup-config

Source filename [running-config]? 
Cryptochecksum: 6beb01d1 b7a3c30f 5e8eb557 a8ebb8ca 

12067 bytes copied in 3.780 secs (4022 bytes/sec)

    步驟 2.將軟體映像上傳到主裝置。

    附註圖示

    注意:在本文檔中,您使用的是FTP伺服器,但可以使用TFTP、HTTP或其他伺服器型別。

    ciscoasa# copy  ftp://calo:calo@10.88.7.12/cisco-asa-fp2k.9.16.4.SPA disk0:/cisco-asa-fp2k.9.16.4.SPA

Address or name of remote host [10.88.7.12]? 

Source username [calo]? 

Source password []? ****

Source filename [cisco-asa-fp2k.9.16.4.SPA]? 

Destination filename [cisco-asa-fp2k.9.16.4.SPA]? 

Accessing  ftp:/calo:<password>@10.88.7.12/cisco-asa-fp2k.9.16.4.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/cisco-asa-fp2k.9.16.4.SPA...

Writing file disk0:/cisco-asa-fp2k.9.16.4.SPA...

474475840 bytes copied in 843.230 secs (562842 bytes/sec)

    步驟 3.將軟體映像上傳到輔助裝置。

    在主要單元上運行命令。

    ciscoasa# failover exec mate copy /noconfirm ftp://calo:calo@10.88.7.12/cisco-asa-fp2k.9.16.4.SPA disk0:/cisco-asa-fp2k.9.16.4.SPA

Accessing ftp://calo :<password>@10.88.7.12/cisco-asa-fp2k.9.16.4.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/cisco-asa-fp2k.9.16.4.SPA...

Writing file disk0:/cisco-asa-fp2k.9.16.4.SPA...

474475840 bytes copied in 843.230 secs (562842 bytes/sec)

    步驟 4. 使用 show running-config boot system 命令檢查當前是否配置了引導映像。

    附註圖示

    :您可能未配置引導系統。

     
    ciscoasa(config)# show running-config boot system
boot system disk0:/cisco-asa-fp2k.9.14.4.SPA

    步驟 5.(選用) 如果已配置引導映像,則必須將其刪除。

    no boot system diskn:/asa_image_name

    範例:

    ciscoasa(config)# no boot system disk0:/cisco-asa-fp2k.9.14.4.SPA

    步驟 6.選擇要啟動的映像。

    ciscoasa(config)# boot system disk0:/cisco-asa-fp2k.9.16.4.SPA 

The system is currently installed with security software package 9.14.4, which has:
   - The platform version:  2.8.1.172
   - The CSP (asa) version: 9.14.4
Preparing new image for install...
!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Installation of version 9.16.4 will do the following:
   - upgrade to the new platform version 2.10.1.217
   - upgrade to the CSP ASA version 9.16.4
After installation is complete, ensure to do write memory and reload to save this config and apply the new image.
Finalizing image install process...

Install_status: ready............................
Install_status: validating-images....
Install_status: upgrading-npu
Install_status: upgrading-system.
Install_status: update-software-pack-completed

    步驟 7.使用copy running-config startup-config命令儲存配置。

    步驟 8.重新載入輔助裝置以安裝新版本。

    ciscoasa(config)# failover reload-standby

    等待輔助裝置載入。

    步驟 9.備用裝置重新載入後,將主裝置從活動狀態更改為備用狀態。

    ciscoasa# no failover active

    步驟 10.重新載入新的備用裝置以安裝新版本。您必須連線到新的主用裝置。

    ciscoasa(config)# failover reload-standby

    新備用裝置載入後,升級即完成。

    使用ASDM升級

    步驟 1.使用ASDM連線到輔助裝置。

    alexiriv_1-1706743649728

    步驟 2.轉至工具 > 從本地電腦升級軟體。 

    alexiriv_0-1706751304104

    步驟 3.從下拉選單中選擇ASA

    alexiriv_4-1706743937810

    步驟 4.在Upgrade Software窗口中,按一下Browse Local Files將軟體映像上傳到輔助單元。

    附註圖示

    注意:預設情況下,Flash File System Path是disk0;要更改它,請按一下Browse Flash並選擇新路徑。

    alexiriv_5-1706744017920

    點選上傳影象。

    alexiriv_6-1706744153694

    映像上傳完成後,點選

    alexiriv_7-1706744850676

    步驟 5.重置ASDM映像

    使用ASDM連線到主裝置並轉到Configuration > Device Management > System Image/Configuration > Boot Image/Configuration。 

    ASDM Image File Path中,輸入值disk0:/asdm.binApply

    alexiriv_1-1706751441742

    步驟 6. 將軟體映像上傳到主裝置。

    按一下Browse Local Files,然後選擇裝置上的升級軟體套件。

    點選上傳影象。

    alexiriv_4-1706746619573

    上傳完映像後,按一下Yes

    alexiriv_0-1706746175376

    在預覽窗口中,點選傳送按鈕以儲存配置。

    alexiriv_7-1706748485269

    步驟 7. 按一下Save儲存配置。

    alexiriv_6-1706748131274

    步驟 8. 重新載入輔助裝置以安裝新版本。

    轉至 > Properties > Failover > Status,然後按一下Reload Standby

    alexiriv_8-1706748842843

    等待備用裝置載入。

    步驟 9.備用裝置重新載入後,將主裝置從活動狀態更改為備用狀態。

    轉至> Properties > Failover > Status,然後按一下Make Standby

    附註圖示

    :ASMD自動連線到新的主用裝置。

    alexiriv_9-1706749291778

    步驟 10.重新載入新的備用裝置以安裝新版本。

    轉至 > Properties > Failover > Status,然後按一下Reload Standby

    alexiriv_10-1706750643880

    新備用裝置載入後,升級即完成。

    驗證

    要驗證兩台裝置是否均已完成升級,請透過CLI和ASDM檢查升級。

    透過CLI

    ciscoasa# show failover 
    Failover On 
    Failover unit Primary
    Failover LAN Interface: folink Ethernet1/1 (up)
    Reconnect timeout 0:00:00
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 1 of 1292 maximum
    MAC Address Move Notification Interval not set
    Version: Ours 9.16(4), Mate 9.16(4)
    Serial Number: Ours JAD25430R73, Mate JAD25430RCG
    Last Failover at: 22:45:48 UTC Jan 31 2024
    This host: Primary - Active 
    Active time: 45 (sec)
    slot 0: FPR-2120 hw/sw rev (1.5/9.16(4)) status (Up Sys)
    Interface management (10.88.15.58): Normal (Monitored)
    Other host: Secondary - Standby Ready 
    Active time: 909 (sec)
    slot 0: FPR-2120 hw/sw rev (1.5/9.16(4)) status (Up Sys)
    Interface management (10.88.15.59): Normal (Monitored)

    Stateful Failover Logical Update Statistics
    Link : folink Ethernet1/1 (up)
    Stateful Obj xmit xerr rcv rerr 
    General 27 0 29 0 
    sys cmd 27 0 27 0 
    up time 0 0 0 0 
    RPC services 0 0 0 0 
    TCP conn 0 0 0 0 
    UDP conn 0 0 0 0 
    ARP tbl 0 0 1 0 
    Xlate_Timeout 0 0 0 0 
    IPv6 ND tbl 0 0 0 0 
    VPN IKEv1 SA 0 0 0 0 
    VPN IKEv1 P2 0 0 0 0 
    VPN IKEv2 SA 0 0 0 0 
    VPN IKEv2 P2 0 0 0 0 
    VPN CTCP upd 0 0 0 0 
    VPN SDI upd 0 0 0 0 
    VPN DHCP upd 0 0 0 0 
    SIP Session 0 0 0 0 
    SIP Tx 0 0 0 0 
    SIP Pinhole 0 0 0 0 
    Route Session 0 0 0 0 
    Router ID 0 0 0 0 
    User-Identity 0 0 1 0 
    CTS SGTNAME 0 0 0 0 
    CTS PAC 0 0 0 0 
    TrustSec-SXP 0 0 0 0 
    IPv6 Route 0 0 0 0 
    STS Table 0 0 0 0 
    Umbrella Device-ID 0 0 0 0

    Logical Update Queue Information
    Cur Max Total
    Recv Q: 0 10 160
    Xmit Q: 0 1 53

    透過ASDM

    轉至Monitoring > Properties > Failover > Status,您可以看到兩個裝置的ASA版本。

    alexiriv_11-1706750799492

    相關資訊

    修訂記錄

    修訂 發佈日期 意見
    1.0
    02-Feb-2024
    初始版本
    TAC Authored

    由思科工程師貢獻

    • Alexis Armando Rivera Garcia
      Cisco Security Technical Consulting Engineer

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品