1. Overview
There could be many reasons to always upgrade Cisco ASA firewall IOS software to the latest version. The most common reasons are first to fix the bug, second to fix security vulnerability, and the last one is for the stability reason. In the clustering environment of Cisco ASA firewall, you will not experience any downtime during the upgrade process.
In this instruction, TechSpaceKH will explains you how to upgrade active/standby clustering Cisco ASA firewall IOS software from version 9.8.2 to the latest version 9.9.2.
2. Prerequisites
In this article, it is presumed that:
a. You have already done the security hardening on your Cisco ASA firewall devices so that you can have a secure file copy over the network. please refer to this link. Security Hardening Cisco ASA Firewall
b. You have a direct console access to ASA firewall
c. You have Cisco TAC account with enough privilege to download the software.
d. You already have an SSH server up and running on your network.
e. You have already configured active/standby clustering on Cisco ASA firewall. If you don’t please refer to this link. Configuring Active/Standby Failover on Cisco ASA 9.x
3. Network Diagram
We had already set up the active/standby clustering on Cisco ASA firewalls. To simplify the explanation of the upgrade procedure, we will use the following network diagram for operate this IOS software upgrade. You need to upload Cisco IOS file “asa992-smp-k8.bin” which you have downloaded from with Cisco TAC account to SSH server. In our case, we will upload this file to directory “/home/vannath” on SSH server IP 10.0.0.1 from management workstation.
Then, we need make a secure copy of Cisco IOS file “asa992-smp-k8.bin” from SSH server into Cisco ASA firewall appliance with “scp” command.
4. Upgrade Clustered Cisco ASA Firewall
First, we need to copy Cisco IOS file “asa992-smp-k8.bin” from SSH server into each cluster unit of Cisco ASA firewall appliance flash drive separately by using “scp” command as the following. To use “scp” command to copy file on Cisco ASA firewall, please refer to Hardening Cisco ASA Firewall
On the primary unit
# copy scp://vannath@10.0.0.1/asa992-smp-k8.bin flash:
On the secondary unit
# copy scp://vannath@10.0.0.1/asa992-smp-k8.bin flash:
After finish copying the IOS software files into each cluster unit, we need to verify these files with the following command to make sure that the file is not corrupted. Run the following command on both cluster units.
# verify asa992-smp-k8.bin Verifying file integrity of disk0:/asa992-smp-k8.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Done! Embedded Hash SHA-512: 25f280312421717f0eb924aa92178777e28ed6e68aa72c17dc1b776092268b6bf903cd9d9575d57e41766095258aca1a3751985c450053e39714599a8c9b581c Computed Hash SHA-512: 25f280312421717f0eb924aa92178777e28ed6e68aa72c17dc1b776092268b6bf903cd9d9575d57e41766095258aca1a3751985c450053e39714599a8c9b581c CCO Hash SHA-512: 3908d8744421809bdad41f0cdb4c96db70cdacc0fb135c45a78c3a9f8e97e83a092e34a07369d8018b33533252acf8f4489d1d5ce264a7906c7913101bc17cfe Signature Verified
Next, we need to verify the current boot image by using the following “show” command.
# sh run boot system
Now, let remove any existing boot image configurations so that we can enter the new boot image as our first choice on on primary unit of Cisco ASA firewall appliance.
# no boot system disk0:/asa982-smp-k8.bin
Next, we have to set the new boot image IOS in order. If ASA cannot boot the first image, I will boot the second image consequently.
# boot system flash:/asa992-smp-k8.bin # boot system disk0:/asa982-smp-k8.bin
Finally, we need to save the new settings to the startup configuration and go to the standby unit of Cisco ASA firewall to verify that boot image is set to “asa992-smp-k8.bin” using command “show run boot system” and after that reload the standby unit of Cisco ASA firewall cluster.
# wr # sh run boot boot system disk0:/asa992-smp-k8.bin boot system disk0:/asa982-smp-k8.bin # reload
Once standby unit is upgraded successfully then run “failover active” on standby unit to it become the active unit.
# failover active
Go to the primary unit of Cisco ASA firewall, save the configuration and confirms that boot image is set to “asa992-smp-k8.bin” using command “show run boot system” and after that reload the standby unit of Cisco ASA firewall.
# wr # sh run boot boot system disk0:/asa992-smp-k8.bin boot system disk0:/asa982-smp-k8.bin # reload
After the reload process finish, we need to verify if the Cisco ASA firewall device is upgraded to version 9.9.2 by running the following command on both primary and standby units.
# sh ver Cisco Adaptive Security Appliance Software Version 9.9(2)
5. Conclusion
Now you should be able to upgrade active/standby clustering Cisco ASA firewall IOS software from version 9.8.2 to the latest version 9.9.2.. Hopefully, you can find this document informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
