In this article are listed steps to upgrade Cisco ASA firewall setup in Active/Standby Failover Configuration. We assume that console connection is not available and only remote SSH connectivity is possible.

Note: During reload and failover you may be disconnected

Prep work:
– New image (asa825-51-k8.bin) is already loaded into Active and Standby unit.

Upgrading an Active/Standby Failover Configuration

To upgrade two units in an Active/Standby failover configuration, perform the following steps:

Step 1 Download the new software to both units, and specify the new image to load with the boot system command.

active#

 conf t
  ! 
  no boot system disk0:/asa825-46-k8.bin
  boot system disk0:/asa825-51-k8.bin	
  wr mem
 exit
 failover exec mate no boot system disk0:/asa825-46-k8.bin
 failover exec mate boot system disk0:/asa825-51-k8.bin	
 failover exec mate wr mem

Note: failover exec command was introduced in code version 8.0(2) so it will not work when upgrade from older code!

Step 2 Reload the standby unit to boot the new image by entering the following command on the active unit:

active# 
 failover reload-standby

Step 3 When the standby unit has finished reloading, and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the following command on the active unit.

Note Use the show failover command to verify that the standby unit is in the Standby Ready state.

active# 
 no failover active

Step 4 Reload the former active unit (now the new standby unit) by entering the following command:

newstandby# 
 reload

Step 5 When the new standby unit has finished reloading, and is in the Standby Ready state, return the original active unit to active status by entering the following command:

 newstandby# failover active

Follow me!