Both units in a failover configuration must have the same major (first number) and minor (second number) IOS version.

However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, Cisco recommends upgrading both units to the same version as soon as possible.

Scenarios for performing zero-downtime upgrades on a failover pair

 

Zero-Downtime Upgrade Support

 

 

Maintenance Release

 

You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 7.0(1) to 7.0(4) without first installing the maintenance releases in between.

 

Minor Release

 

You can upgrade from a minor release to the next minor release. You cannot skip a minor release.

For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0 directly to 7.2 is not supported for zero-downtime upgrades; you must first upgrade to 7.1.

 

Major Release

 

You can upgrade from the last minor release of the previous version to the next major release.

For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.

 

 

Upgrading an Active/Standby Failover Configuration

 

To upgrade two units in an Active/Standby failover configuration, perform the following steps:

  1. Download the new software to both units, and specify the new image to load with the boot system command.
  2. Reload the standby unit to boot the new image by entering the following command on the active unit:

    Active_ASA# failover reload-standby

  3. When the standby unit has finished reloading, and is in the Standby Ready state (using show failover command), force the active unit to fail over to the standby unit by entering the following command on the active unit.

    Active_ASA# no failover active

     

  4. Reload the former active unit (now the new standby unit) by entering the following command:

    New_Standby_ASA# reload

     

  5. When the new standby unit has finished reloading, and is in the Standby Ready state, return the original active unit to active status by entering the following command:

    New_Standby_ASA# failover active

     

Upgrading and Active/Active Failover Configuration

 

To upgrade two units in an Active/Active failover configuration, perform the following steps:

 

  1. Download the new software to both units, and specify the new image to load with the boot system command.
  2. Make both failover groups active on the primary unit by entering the following command in the system execution space of the primary unit:

    Primary# failover active

     

  3. Reload the secondary unit to boot the new image by entering the following command in the system execution space of the primary unit:

    Primary# failover reload-standby

     

  4. When the secondary unit has finished reloading, and both failover groups are in the Standby Ready state on that unit (Using the show failover command), make both failover groups active on the secondary unit using the following command in the system execution space of the primary unit:

    Primary# no failover active

     

  5. Make sure both failover groups are in the Standby Ready state on the primary unit, and then reload the primary unit using the following command:

    Primary# reload

     

    If the failover groups are configured with the preempt command, they will automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on their designated units using the failover active group command.

     

Source:: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1053398

Leave a Reply