Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Upgrade to ASA 8.3 and ASDM 6.3

  • Viewing Options

  • PDF (293.1 KB)
  • Feedback

Table of Contents

Upgrade to ASA 8.3 and ASDM 6.3

Upgrading the Software

Upgrade Path

Viewing Your Current Version

Upgrading a Standalone Unit

Upgrade Using the CLI

Upgrade Using ASDM 6.2 or Earlier

Upgrade Using ASDM 6.3 or Later

Upgrade a Failover Pair

Upgrade an Active/Standby Failover Pair

Upgrade an Active/Active Failover Pair

Upgrade to ASA 8.3 and ASDM 6.3

Released: August 21, 2014

Upgrading the Software

This section describes how to upgrade to the latest version.

Upgrade Path

See the following table for the upgrade path for your version.


Note There are no special requirements for Zero Downtime Upgrades for failover.


 

Current ASA Version
Upgrade to:

8.2(x) and earlier

8.3(1) or later

Configuration Migration

Depending on your current version, you might experience one or more configuration migrations when you upgrade. For example, when upgrading from 8.0 to 8.3, you will experience all of these migrations:

Viewing Your Current Version

(CLI) Use the show version command to verify the software version of your ASA. (ASDM) The software version appears on the ASDM home page; view the home page to verify the software version of your ASA.

Upgrading a Standalone Unit

This section describes how to install the ASDM and operating system (OS) images.

Upgrade Using the CLI

Procedure

This procedure uses TFTP. For FTP or HTTP, see the copy command.


Step 1 If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:

http://www.cisco.com/cisco/software/navigator.html

Step 2 Back up your configuration file. To print the configuration to the terminal, enter the following command:

hostname# show running-config
 

Copy the output from this command, then paste the configuration in to a text file.


Note If you are upgrading from a pre-8.3 version, then the running configuration is backed up automatically.


For other methods of backing up, see the “Managing Software and Configurations” chapter in Cisco ASA 5500 Series Configuration Guide using the CLI.

Step 3 Install the new images using TFTP. Enter this command separately for the OS image and the ASDM image:

hostname# copy tftp://server[/path]/filename {disk0:/ | disk1:/}[path/]filename
 

For example:

hostname# copy tftp://10.1.1.1/asa830-4-k8.bin disk0:/asa831-k8.bin
...
hostname# copy tftp://10.1.1.1/asdm-63096.bin disk0:/asdm-631.bin
 

If your ASA does not have enough memory to hold two images, overwrite the old image with the new one by specifying the same destination filename as the existing image.

Step 4 To change the OS boot image to the new image name, enter the following commands:

hostname(config)# clear configure boot
hostname(config)# boot system {disk0:/ | disk1:/}[path/]new_filename
 

For example:

hostname(config)# clear configure boot
hostname(config)# boot system disk0:/asa831-k8.bin
 

Step 5 To configure the ASDM image to the new image name, enter the following command:

hostname(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename
 

Step 6 To save the configuration and reload, enter the following commands:

hostname(config)# write memory
hostname(config)# reload
 


 

Upgrade Using ASDM 6.2 or Earlier

Detailed Steps


Step 1 From the Tools menu, choose Tools > Upgrade Software from Cisco.com.

In multiple context mode, access this menu from the System.

The Upgrade Software from Cisco.com Wizard appears.


Note If you are running ASDM Version 5.2 or lower, then the Upgrade Software from Cisco.com Wizard is not available. You can download the software from the following URL:

http://www.cisco.com/cisco/web/download/index.html

Then use Tools > Upgrade Software.


Step 2 Click Next.

The Authentication screen appears.

Step 3 Enter your Cisco.com username and password, and click Next.

The Image Selection screen appears.

Step 4 Check the Upgrade the ASA version check box and the Upgrade the ASDM version check box to specify the most current images to which you want to upgrade, and click Next.

The Selected Images screen appears.

Step 5 Verify that the image file you have selected is the correct one, and then click Next to start the upgrade.

The wizard indicates that the upgrade will take a few minutes. You can then view the status of the upgrade as it progresses.

The Results screen appears. This screen provides additional details, such as whether the upgrade failed or whether you want to save the configuration and reload the ASA.

If you upgraded the ASA version and the upgrade succeeded, an option to save the configuration and reload the ASA appears.

Step 6 Click Yes.

For the upgrade versions to take effect, you must save the configuration, reload the ASA, and restart ASDM.

Step 7 Click Finish to exit the wizard when the upgrade is finished.


 

Upgrade Using ASDM 6.3 or Later

Detailed Steps


Step 1 Choose Tools > Check for ASA/ASDM Updates.

In multiple context mode, access this menu from the System.

The Cisco.com Authentication dialog box appears.

Step 2 Enter your assigned Cisco.com username and the Cisco.com password, and then click Login.

The Cisco.com Upgrade Wizard appears.

Step 3 Complete the upgrade wizard.

Step 4 For the upgrade versions to take effect, check the Save configuration and reload device now check box to restart the ASA and restart ASDM.

Step 5 Click Finish to exit the wizard and save the configuration changes that you made.

Upgrade an Active/Standby Failover Pair

To upgrade the Active/Standby failover pair, perform the following steps.

Before You Begin

(CLI) Perform these steps on the active unit.

Procedure

For CLI:


Step 1 (If there is a configuration migration) Show the configuration on the terminal so that you can back up your configuration:

more system:running-config
 

Example:

active# more system:running-config
 

Copy the output from this command, then paste the configuration in to a text file. For other methods of backing up, see the configuration guide.

Step 2 Copy the ASA software to the active unit flash memory:

copy tftp://server[/path]/asa_image_name {disk0:/ | disk1:/}[path/]asa_image_name
 

Example:

active# copy tftp://10.1.1.1/asa831-smp-k8.bin disk0:/asa831-smp-k8.bin
 

For other methods than TFTP, see the copy command.

Step 3 Copy the software to the standby unit; be sure to specify the same path as for the active unit:

failover exec mate copy /noconfirm tftp://server[/path]/filename {disk0:/ | disk1:/}[path/]filename
 

Example:

active# failover exec mate copy /noconfirm tftp://10.1.1.1/asa831-smp-k8.bin disk0:/asa831-smp-k8.bin
 

Step 4 Copy the ASDM image to the active unit flash memory:

copy tftp://server[/path]/asdm_image_name {disk0:/ | disk1:/}[path/]asdm_image_name
 

Example:

active# copy tftp://10.1.1.1/asdm-631.bin disk0:/asdm-631.bin
 

Step 5 Copy the ASDM image to the standby unit; be sure to specify the same path as for the active unit:

failover exec mate copy /noconfirm tftp://server[/path]/asdm_image_name {disk0:/ | disk1:/}[path/]asdm_image_name
 

Example:

active# failover exec mate copy /noconfirm tftp://10.1.1.1/asdm-631.bin disk0:/asdm-631.bin
 

Step 6 If you are not already in global configuration mode, access global configuration mode:

configure terminal
 

Step 7 Show the current boot images configured (up to 4):

show running-config boot system
 

Example:

hostname(config)# show running-config boot system
boot system disk0:/cdisk.bin
boot system disk0:/asa821-smp-k8.bin
 

The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must remove any existing entries, and enter the image URLs in the order desired, according to Step 8 and Step 9.

Step 8 Remove any existing boot image configurations so that you can enter the new boot image as your first choice:

no boot system {disk0:/ | disk1:/}[path/]asa_image_name
 

Example:

hostname(config)# no boot system disk0:/cdisk.bin
hostname(config)# no boot system disk0:/asa821-smp-k8.bin
 

Step 9 Set the ASA image to boot (the one you just uploaded):

boot system {disk0:/ | disk1:/}[path/]asa_image_name
 

Example:

hostname(config)# boot system disk0://asa831-smp-k8.bin
 

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed in Step 8.

Step 10 Set the ASDM image to use (the one you just uploaded):

asdm image {disk0:/ | disk1:/}[path/]asdm_image_name
 

Example:

hostname(config)# asdm image disk0:/asdm-631.bin
 

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 11 Save the new settings to the startup configuration:

write memory
 

Step 12 Reload the standby unit to boot the new image:

failover reload-standby
 

Wait for the standby unit to finish loading. Use the show failover command to verify that the standby unit is in the Standby Ready state.

Step 13 Force the active unit to fail over to the standby unit:

no failover active
 

Step 14 Reload the former active unit (now the new standby unit):

reload

 

If you want to restore this unit to be active after it reloads, enter the failover active command.


 

For ASDM:


Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.

Step 2 On the active unit, in the main ASDM application window, choose Tools > Upgrade Software from Local Computer.

The Upgrade Software dialog box appears.

 

Step 3 From the Image to Upload drop-down list, choose ASDM.

Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.

Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.

Step 6 Click Upload Image. The uploading process might take a few minutes.

Step 7 You are prompted to set this image as the ASDM image. Click Yes.

 

Step 8 You are reminded to exit ASDM and save the configuration. Click OK. You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.

 

Step 9 Repeat Step 2 through Step 8, choosing ASA from the Image to Upload drop-down list.

Step 10 Click the Save icon on the toolbar to save your configuration changes.

Step 11 Connect ASDM to the standby unit, and upload the ASA and ASDM software according to Step 2 through Step 9, using the same file locations you used on the active unit.

Step 12 Choose Tools > System Reload to reload the standby ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now, the default).

c. Click Schedule Reload.

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

Step 13 After the standby ASA reloads, restart ASDM and connect to the standby unit to make sure it is running.

Step 14 Connect ASDM to the active unit again.

Step 15 Force the active unit to fail over to the standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Make Standby.

Step 16 Choose Tools > System Reload to reload the (formerly) active ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now, the default).

c. Click Schedule Reload.

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

After the ASA comes up, it will now be the standby unit.


 

Upgrade an Active/Active Failover Pair

To upgrade two units in an Active/Active failover configuration, perform the following steps.

Before You Begin

Perform these steps in the system execution space. (CLI) Also perform these steps on the primary unit.

Procedure

For CLI:


Step 1 (If there is a configuration migration) Show the configuration on the terminal so that you can back up your configuration:

more system:running-config
 

Copy the output from this command, then paste the configuration in to a text file. For other methods of backing up, see the configuration guide.

Step 2 Copy the ASA software to the primary unit flash memory:

copy tftp://server[/path]/asa_image_name {disk0:/ | disk1:/}[path/]asa_image_name
 

Example:

primary# copy tftp://10.1.1.1/asa831-smp-k8.bin disk0:/asa831-smp-k8.bin
 

For other methods than TFTP, see the copy command.

Step 3 Copy the software to the secondary unit; be sure to specify the same path as for the primary unit:

failover exec mate copy /noconfirm tftp://server[/path]/filename {disk0:/ | disk1:/}[path/]filename
 

Example:

primary# failover exec mate copy /noconfirm tftp://10.1.1.1/asa831-smp-k8.bin disk0:/asa831-smp-k8.bin
 

Step 4 Copy the ASDM image to the primary unit flash memory:

copy tftp://server[/path]/asdm_image_name {disk0:/ | disk1:/}[path/]asdm_image_name
 

Example:

primary# copy tftp://10.1.1.1/asdm-631.bin disk0:/asdm-631.bin
 

Step 5 Copy the ASDM image to the secondary unit; be sure to specify the same path as for the active unit:

failover exec mate copy /noconfirm tftp://server[/path]/asdm_image_name {disk0:/ | disk1:/}[path/]asdm_image_name
 

Example:

primary# failover exec mate copy /noconfirm tftp://10.1.1.1/asdm-631.bin disk0:/asdm-631.bin
 

Step 6 Make both failover groups active on the primary unit:

failover active group 1
failover active group 2
 

Step 7 If you are not already in global configuration mode, access global configuration mode:

configure terminal
 

Example:

primary(config)# configure terminal
 

Step 8 Show the current boot images configured (up to 4):

show running-config boot system
 

Example:

hostname(config)# show running-config boot system
boot system disk0:/cdisk.bin
boot system disk0:/asa821-smp-k8.bin
 

The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must remove any existing entries, and enter the image URLs in the order desired, according to Step 9 and Step 10.

Step 9 Remove any existing boot image configurations so that you can enter the new boot image as your first choice:

no boot system {disk0:/ | disk1:/}[path/]asa_image_name
 

Example:

hostname(config)# no boot system disk0:/cdisk.bin
hostname(config)# no boot system disk0:/asa821-smp-k8.bin
 

Step 10 Set the ASA image to boot (the one you just uploaded):

boot system {disk0:/ | disk1:/}[path/]asa_image_name
 

Example:

hostname(config)# boot system disk0://asa831-smp-k8.bin
 

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed in Step 9.

Step 11 Set the ASDM image to use (the one you just uploaded):

asdm image {disk0:/ | disk1:/}[path/]asdm_image_name
 

Example:

hostname(config)# asdm image disk0:/asdm-631.bin
 

You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 12 Save the new settings to the startup configuration:

write memory
 

Step 13 Reload the secondary unit to boot the new image:

failover reload-standby
 

Wait for the secondary unit to finish loading. Use the show failover command to verify that both failover groups are in the Standby Ready state.

Step 14 Force both failover groups to become active on the secondary unit:

no failover active group 1
no failover active group 2
 

Step 15 Reload the primary unit:

reload
 

If the failover groups are configured with the preempt command, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on their designated units using the failover active group command.


 

For ASDM:


Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.

Step 2 On the primary unit, in the main ASDM application window, choose Tools > Upgrade Software from Local Computer.

The Upgrade Software dialog box appears.

 

Step 3 From the Image to Upload drop-down list, choose ASDM.

Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.

Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.

Step 6 Click Upload Image. The uploading process might take a few minutes.

Step 7 You are prompted to set this image as the ASDM image. Click Yes.

 

Step 8 You are reminded to exit ASDM and save the configuration. Click OK. You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.

 

Step 9 Repeat Step 2 through Step 8, choosing ASA from the Image to Upload drop-down list.

Step 10 Click the Save icon on the toolbar to save your configuration changes.

Step 11 Make both failover groups active on the primary unit by choosing Monitoring > Failover > Failover Group #, where # is the number of the failover group you want to move to the primary unit, and clicking Make Active.

Step 12 Connect ASDM to the secondary unit, and upload the ASA and ASDM software according to Step 2 through Step 9, using the same file locations you used on the active unit.

Step 13 Choose Tools > System Reload to reload the secondary ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now, the default).

c. Click Schedule Reload.

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

Step 14 Connect ASDM to the primary unit, and check when the secondary unit reloads by choosing Monitoring > Failover > System.

Step 15 After the secondary unit comes up, force the primary unit to fail over to the secondary unit by choosing Monitoring > Properties > Failover > System, and clicking Make Standby.

Step 16 Choose Tools > System Reload to reload the (formerly) active ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now, the default).

c. Click Schedule Reload.

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt Enabled, you can return them to active status on their designated units using the Monitoring > Failover > Failover Group # pane.


 

Copyright © 2014 Cisco Systems, Inc. All rights reserved.