ASA 5520 Upgrade 8.0(4)-- 8.4.2--Zero Downtime
Hello Everyone,
We are currently on 8.0(4) and planning on upgrading our failover pair to 8.4.2, I read some documents saying that we can perform a zero downtime upgrade.
According the below documents Version 8.2 supports mismatch memory failover,
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536
https://supportforums.cisco.com/message/3549760#3549760//
Upgrade Path:
Active Firewall: Standby Firewall:
8.0(4) 8.0(4)-->8.2.2
8.0(4) Upgrade RAM-2G---Reload
faiover to standby 8.2.2
8.0(4)--->8.2.2 8.2.2
Upgrade RAM-2G-reload 8.2.2----Fail over
8.2.2--Active 8.2.2--Standby
8.2.2 8.3.1
8.2.2 8.4.2
Failover to stanby 8.4.2
8.2.2--Standby 8.4.2-----Active
Can I perform zero downtime upgrade with the above upgrade path? Will both the firewalls act as a failover pair if one is on 8.2.2 and other is on 8.4.2.
"Performing Zero Downtime Upgrades for Failover Pairs
The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support." (http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/admin_swconfig.html)
Upgrade RAM-2G
You can do it in a lot fewer steps.
1. Upgrade RAM on standby, reload and make it active.
2. Repeat process for newly standby unit.
Now you have 2 units still on 8.0(4) with requisite RAM for 8.3+. TAC will recommend you go up in "baby steps" but the software will work upgrading directly from 8.0 to 8.4. 8.4(3) is the current version for the 5520 platform. At most conservative, I might upgrade to 8.2(4) as an interim but it's not strictly necessary. So my next step would be:
3. Upgrade standby unit from 8.0(4) to 8.4(3). At this point take stock of the script syntax changes. Examine the upgrade log (on disk0:) and address any discrepancies.
Note active/standby failover will work here but should not be run this way for any extended time as syntax changes would affect the ability to synchronize if changes are introduced on the active member.
Finally:
4. Flip upgraded standby unit to active and upgrade remaining standby unit to 8.4(3).
If you follow these steps and check your work after each step, this would all be zero downtime.
Similar Messages
-
ASA 5520 Upgrade From 8.2 to 9.1
To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni -
ASA 5520 upgrade from 8.4.6 to 9.1.2
Dear All,
I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
Below is the process :
Upgrade an Active/Standby Failover Configuration
Complete these steps in order to upgrade two units in an Active/Standby failover configuration:
Download the new software to both units, and specify the new image to load with the boot system command.
Refer to Upgrade a Software Image and ASDM Image using CLI for more information.
Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:
active#failover reload-standby
When the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.
active#no failover active
Note: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.
Reload the former active unit (now the new standby unit) by entering the reload command:
newstandby#reload
When the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:
newstandby#failover active
This completes the process of upgrading an Active/Standby Failover pair.
Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 )
It is mentioned on cisco site that
Major Release
—You can upgrade from the last minor release of the previous version to the next major release. For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.Hi Tushar,
The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
- Prateek Verma -
ASA 5520 VERSION 8.2 UPGRADE TO 9.0
Hello friends,
I am considering to perform an upgrade of my ASA 5520 with versión 8.2 to 9.0, so I will enjoy the benefits of anyconnect for mobile devices. I clearly understand that I must pay special attention to:
NAT Rules.
RAM Memory: 2 GB.
Adding the part numbers to power on the newest versions of anyconnect and for mobile devices
L-ASA-AC-E-5520= ASA-AC-M-5520=
am I missing any other thing? Flash requirement? Or to pay attention to some other configurations?
Any comment or documentation will be appreciated.
Regards!You can run the latest AnyConnect client - including mobile clients - with those licenses even on an ASA with the current 8.2 code - 8.2(5) as of now. While it's a bit old and lacking some of the newer features, it's a solid and stable release.
That would save you the trouble of migrating your NAT configuration (and other bits) and upgrading memory.
Since the ASA 5500 series (5510, 5520 etc.) is past End of Sales you have a limited future on those platforms. For instance, ASA 9.1(x) is the last set of code releases that will be available for them. (The current software on the 5500-X is 9.3(1).) -
ASA 5520 Software & Firmware Upgrades
Is there a way to update the firmware / microcode on the ASA or SSM? I am planning on upgrading the ASA version from 7.2(2) to 8.0(4) and was wondering how, if at all, the firmware was ever upgraded too. The output from 'sh module' is below.
ASA# sh module
Mod Card Type Model Serial No.
0 ASA 5520 Adaptive Security Appliance ASA5520-K8 JMX1044K1S9
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAF10370340
Mod MAC Address Range Hw Version Fw Version Sw Version
0 0018.19eb.ba7d to 0018.19eb.ba81 1.1 1.0(11)2 7.2(2)
1 000a.b89c.d12c to 000a.b89c.d12c 1.0 1.0(11)2 6.0(1)E1
Mod SSM Application Name Status SSM Application Version
1 IPS Up 6.0(1)E1
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
1 Up Up
ASA#
Thanks,
TimothyI would not recommend upgrading - search the posts for 8.0(4) - you will find alot of people have had issues.
If there is no specific reason for the upgrade i.e feature enhancments, I suggest you stay on 7.2(2) -
Just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I have copied the files to flash, but when I run "asdm image flash:/asdm521.bin" I get an error that it's not an image file, and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.
Try this,
To upgrade/install the ASDM follow the example procedure,
ASA(config)# copy tftp flash
Address or name of remote host [x.x.x.x]?
Source filename [pix704.bin]? asdm-504.bin
Destination filename [asdm-504.bin]?
Accessing tftp://x.x.x.x/asdm-504.bin...!!!!!!!!!!!!!!!!!!!!!
Writing file flash:/asdm-504.bin...
5958324 bytes copied in 165.460 secs (36111 bytes/sec)
ASA(config)#
ASA(config)# sh flash
Directory of flash:/
7 -rw- 5437440 21:12:42 Nov 24 2005 pix704.bin
11 -rw- 5919340 20:59:06 Nov 24 2005 asdm-504.bin
13 -rw- 7017 14:00:58 Jul 22 2005 admin.cfg
// asdm-504.bin is now copied in the flash. Now we need to set PIX to use
// this image for loading ASDM.
ASA(config)# asdm image flash:/asdm-504.bin
// Last steps involve saving the running configuration to memory as we have
// made changes to boot files and reloading the PIX.
ASA(config)# write memory
Building configuration...
Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b
4807 bytes copied in 3.20 secs (1602 bytes/sec)
[OK]
ASA(config)# reload
// Once PIX comes back up, we can verify that upgradation has been successfull
// by using "show version" command.
Refer to the link ASDM Upgrade Procedure
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t8
hope this helps.. all the best.. rate replies if found useful..
Raj -
Asa 5520 "loosing" code after code has been put in and operating
Sorry to ask this if it has all ready been covered. We have an asa 5520 running 8.3.2(1) code. Three times now I have entered code and rules in our asa and had things working, only to have the code "dissapear" and thus things stop working. We upgraded to 8.3.2(1) back in January of 2011, and have not had this problem until the last month. I was wondering if there is a bug with 8.3.2(1) code that has decided to show itself for whatever reason now. We have also had some other things relating to the VPN that were "working" and at some point just stopped working. We do have a second asa 5520 that is the failover/standby. We also have two 6509 with firewall services modules, one primary and the other standby. Just wondering how to troubleshoot something like this. I have putty logs of me putting the code in and doing a write mem saving the changes, yet on three occations those things stopped working, and I had to put the code in again.
**update** as I was typing this, we realised there was a problem with the two ASA's. For some reason, failover had stopped working, and both ASA's were trying to be the primary and causing issues. After several reboots, we wound up turning failover back on on the second ASA, and things seem to be normal now. No idea what would have caused the failover to break. Not sure how long this had been going on, it may have had to do with my code seeming to dissapear?Here is the output of the show ver. I removed the serial number.
ACH-2nd-EXT-ASA01#sh ver
Cisco Adaptive Security Appliance Software Version 8.3(2)1
Device Manager Version 6.4(7)
Compiled on Wed 04-Aug-10 21:41 by builders
System image file is "disk0:/asa832-1-k8.bin"
Config file at boot was "startup-config"
ACH-2nd-EXT-ASA01 up 4 days 22 hours
failover cluster up 4 days 22 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Ext: GigabitEthernet0/0 : address is 001d.a298.c41c, irq 9
1: Ext: GigabitEthernet0/1 : address is 001d.a298.c41d, irq 9
2: Ext: GigabitEthernet0/2 : address is 001d.a298.c41e, irq 9
3: Ext: GigabitEthernet0/3 : address is 001d.a298.c41f, irq 9
4: Ext: Management0/0 : address is 001d.a298.c420, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 10 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Enabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 20 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Enabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: xxxxxxxxxxx
Running Permanent Activation Key: 0xf730cf7a 0x0449cabf 0xc922e5d4 0xc7bc5cb0 0x851ed6bb
Configuration register is 0x1
Configuration has not been modified since last system restart.
ACH-2nd-EXT-ASA01# -
I have asa 5520 k8 model presently i am running with IOS version 8.0(4) i am upgrading to 8.2(5) is ? any license required from cisco to upgrade to this IOS, and also let me know how many site to site vpn can be configure on this device.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1051K2S5Hi,
There is no license needed for the software upgrade
To my understanding the device should support the mentioned 750 IPsec peers. Totally other thing is how this is in practice. Depends on other things also.
The command "show vpn-sessiondb detail" gives a nice information on the VPN connections and limits also
- Jouni -
Hi All,
we recently installed a activaiton key for the Anyconnect License on our ASA 5520. We have a pair runnning, in Active/Standby mode, on IOS 8.0. The Activation/License was installed on the Primary ASA. Once installed the all failover configuration was removed, and we were left with 2 ASAs running in Active/Active mode. This cause haoc across the network. I would like to go back and recover and reinstall the old activation key. Is this possible?? If so how would I be able to achieve this. Or do I need to ontain a new license key. Ultimately I would like to get back to the stage before instlaling the Anyconnect License, where we had a 2 ASAs running in Active/Standby mode.
Thank you for your help and suggestions.
Cheers
Deena
oput put from sh activation-key detail and sh version
CH-ASA# sh act det
Serial Number: JMX1101K2SU
Permanent Flash Activation Key: 0x370fc559 0x2476a024 0xccc355a4 0xacd81440 0x4110329d
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
Temporary Flash Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This is a time-based license that will expire in 27 day(s).
Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
This is a time-based license that will expire in 27 day(s).
The flash activation key is the SAME as the running key.
CH-ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(5)
Device Manager Version 6.2(5)53
Compiled on Mon 02-Nov-09 21:22 by builders
System image file is "disk0:/asa805-k8.bin"
Config file at boot was "startup-config"
CH-ASA up 18 hours 30 mins
Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0019.0665.6dfc, irq 9
1: Ext: GigabitEthernet0/1 : address is 0019.0665.6dfd, irq 9
2: Ext: GigabitEthernet0/2 : address is 0019.0665.6dfe, irq 9
3: Ext: GigabitEthernet0/3 : address is 0019.0665.6dff, irq 9
4: Ext: Management0/0 : address is 0019.0665.6dfb, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
This is a time-based license that will expire in 27 day(s).
Serial Number: JMX1101K2SU
Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Configuration register is 0x1
Configuration has not been modified since last system restart.
CH-ASA#If you upgrade your ASA software to a bit more recent image first you can share the AnyConnect license (activation key) across both devices. Otherwise you would need to install a separate activation key on the second unit.
Sent from Cisco Technical Support iPad App -
ASA 5520 - LU allocate xlate failed - Failover unit reloads
We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007: LU allocate xlate failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9
Device Manager Version 6.0(2)
Compiled on Mon 01-Feb-10 10:36 by builders
System image file is "disk0:/asa805-9-k8.bin"
Config file at boot was "startup-config"
CP-ASA up 17 days 21 hours
failover cluster up 17 days 22 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0025.45d7.6e62, irq 9
1: Ext: GigabitEthernet0/1 : address is 0025.45d7.6e63, irq 9
2: Ext: GigabitEthernet0/2 : address is 0025.45d7.6e64, irq 9
3: Ext: GigabitEthernet0/3 : address is 0025.45d7.6e65, irq 9
4: Ext: Management0/0 : address is 0025.45d7.6e66, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
I noted a report on errors with verison 7 and a conflict between nat(0) and static commands. I don't show nat(0) being used on these units.
nat (public) 0 access-list NO_NAT
nat (public) 1 10.190.16.64 255.255.255.192
nat (public) 1 172.16.22.0 255.255.255.0
nat (dmz) 0 access-list NO_NAT
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (csacelb) 0 access-list NO_NAT
nat (csacelb) 1 0.0.0.0 0.0.0.0
nat (app) 0 access-list NO_NAT
nat (app) 1 0.0.0.0 0.0.0.0
nat (db) 0 access-list NO_NAT
nat (db) 1 0.0.0.0 0.0.0.0
nat (internal) 0 access-list NO_NAT
nat (internal) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list NO_NAT
nat (management) 1 0.0.0.0 0.0.0.0
no crypto isakmp nat-traversal
static (app,dmz) 10.190.15.0 10.190.15.0 netmask 255.255.255.192
static (csacelb,public) 999.999.999.999 10.190.14.70 netmask 255.255.255.255 (The external address was replaced with 999.999.999.999 intentionally for this forum)
static (db,app) 10.190.16.0 10.190.16.0 netmask 255.255.255.192Do you have any solution ? we have the same problem.
Thanks . -
License with anyconnect on asa 5520
Dear All,
We have a single ASA 5510 with version 7.2 (3) in our network and configured many IPSEC site to site, IPSEC - remote access vpn and webvpn with SSL. Everything is working well.
ASA-5510# sh ver
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(2)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ASA-5510-1 up 86 days 11 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0027.0d38.034e, irq 9
1: Ext: Ethernet0/1 : address is 0027.0d38.034f, irq 9
2: Ext: Ethernet0/2 : address is 0027.0d38.0350, irq 9
3: Ext: Ethernet0/3 : address is 0027.0d38.0351, irq 9
4: Ext: Management0/0 : address is 0027.0d38.0352, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 25
This platform has an ASA 5510 Security Plus license.
===============================================================================================
As business improves we are now planning to upgrade our ASA 5510 to ASA 5520 ( 02 nos ver 8.2(5). With the new ASA 5520 we would be planning to buy Any connect vpn license as well.
Finally we will need on the ASA 5520 IPSEC site to site vpn, IPSEC - remote access vpn , clientless vpn with SSL & Any connect vpn license. What are the licences should i purchase inorder to have all the above services on the box with version 8.2(5) ?
suppose if i need to have cisco desktop software which is the license i should have along with other services?
Thanks in advanceI am just away from office .. Will provide same tomorrow...
Meanwhile "L-ASA-SSL-50=ASA 5500 SSL VPN 50 Premium User License" this is the licence i have procured from cisco. I would need
both Anyconnect vpn & SSL clientless should be working on the system. Hope i would acheive with the above license.
Below is the output i got when generated the Licence key. please clarrify. thanks in advance
Failover : Enabled
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
AnyConnect Premium Peers : 50
Other VPN Peers : 750
Advanced Endpoint Assessment : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Shared License : Disabled
UC Phone Proxy Sessions : Default
Total UC Proxy Sessions : Default
AnyConnect Essentials : Disabled
Botnet Traffic Filter : Disabled
Intercompany Media Engine : Disabled -
Zero downtime Upgrade ASA 8.0(4) TO 8.4(7)
Hi All,
I checked a few blogs and upgrading ASA 5520 from 8.0(4) to 8.4(7) following below path. I will be upgrading RAM to 2GB at version 8.2.5. Reason for 8.4.6 is we may get an error message ""No Cfg structure found in downloaded image file" Error Message" if we upgrade directly to 8.4.7.
Please advise if we can perform Zero downtime upgrade if I follow below path and will they still be in HA? Active/standby
8.0.4-->8.2.5 (Active on 8.0.4 and standby 8.2.5)--> Will they be in HA?
8.2.5--->8.4.6(Active on 8.2.5 and standby 8.4.6)--> Will they be in HA?
I believe below one should not be a problem.
8.4.6-->8.4.7(Active on 8.4.6 and standby 8.4.7)--> Will they be in HA?
Thanks in advance.
Regards8.0.4-->8.2.5 (Active on 8.0.4 and standby 8.2.5)--> Will they be in HA?
HA will work...as in the units will failover. But due to changes in configuration syntax you could run into problems with config synchronisation. And could also cause issues in traffic flow if a failover occurs. So it is best to upgrade the second ASA to the new version ASAP. It is also the reason cisco recommend using the same Major and Minor software versions.
8.2.5--->8.4.6(Active on 8.2.5 and standby 8.4.6)--> Will they be in HA?
Same as above.
8.4.6-->8.4.7(Active on 8.4.6 and standby 8.4.7)--> Will they be in HA?
This should be fine
Please remember to select a correct answer and rate helpful posts -
ASA 5520 IP range block or Country IP block
hi,
i need help on ASA 5520 and i would like to block countries IP address from the attack, there is any way to block countries ip address or range ip address .
Thanks,
RabihI've created a script where you chose an authority by selecting in a menu and it'll give you the configuration to drop into the ASA.
https://github.com/in-transit/regional-asa
You can block or allow a specific region if you want. I'll be upgrading it to do specific countries but now it does authorities like ARIN, RIPE, APNIC, etc. -
Hello,
I'll be upgrading an HA pair of ASA 5520s next week, and wanted to clarify the procedure. I read "Upgrading an Active/Standby Failover Configuration" at http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1057338 which suggests placing the image on both units, updating boot statements, then issuing failover reload-standby.
But I was wondering if there's a way to a way to be a bit safer. I'd like to modify the standby unit, without affecting the config on the active. So I'd like to modify the boot statement on the standby without modifying the active config. That way incase there's a problem and the active reboots, it won't upgrade.
Can I modify the config on the standby without affecting the active?
Then I'd like to test the newly upgraded unit with our production traffic. Would that simply be no failover active, and then once the standby becomes active -- test traffic?
Once everything is okay, I would upgrade the second unit, and fail traffic back.
Thanks
BillThanks Varun, that worked -- with one small hiccup.
The secondary was running the new version, with the modified boot statement. But while we were working, the primary sync it's config to the secondary, overwriting the boot statement. I thought if the versions were different it wouldn't overwrite the config?
We manually put it back. But is there a way to temporarily stop config sync?
Thanks -
Can I format the CF in a cisco 1800 router and then use it on the ASA 5520?
Can I format Compact Flash in a cisco 1800 router and then use it on the ASA 5520?
You don't have to format the card in the router. You can do that on your PC. Just format the CF-card as FAT32 and plug it into the ASA.
BUT: If you just want to "upgrade" the old card with a different one, then first attach the original card from the ASA to your PC and copy all files (including the hidden ones) to your PC and then copy them back to the new card. That way you also move your licenses to the new card which are stored in hidden files and your private data like keys.
Maybe you are looking for
-
Used imac craigslist is there a way to see if it's stolen by serial number?
used imac craigslist is there a way to see if it's stolen by serial number?
-
Hi All, user has requested to create Cutom tcodes for 3 custom report painters which user has created in Production system. i would like to know if i have to create Report group for each report and then create a transaction code for the same or repor
-
Multiple selection in table not returning all selected rows
I am unable to obtain multiple selected rows from a table. I only get a single row no matter how many I select. I have the following table <af:table value="#{bindings.TargetSelectorTargets1.collectionModel}" var="row" rows="#{bindings.TargetSelectorT
-
How Can I Use TouchScreen in PS??
I have a touchscreen computer, but it doesn't seem to be doing any good, seeing as I can't use it in PS. Is it even possible??
-
Camera is not working with fring
hii friend pls help me.i'm using nokia 701 .i'm not abal to do video calling through "fring software ".... Moderator's note: We changed the title to a more topic-related subject as the post was moved to the appropriate board.