Filter
Top Products
70-19
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 70 Using Image Manager
About Image Updates on Devices Using Image Manager
2. Create an image upgrade job on the active device of the pair, and run the image upgrade job.
3. After the upgrade has occurred, manually convert the pair back to active/active configuration, as
existed before the upgrade, by making the required failover groups active on one unit and the
remaining failover groups to be active on the other physical unit.
4. Rediscover in Security Manager only the device inventory for the unit that was converted to standby.
Image Manager follows the upgrade procedure as detailed at:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b20f35.sht
ml. The image is copied to both the units and then configuration change is done to activate the image
that is synced to both units. First the standby is reloaded via the active unit and after ensuring that the
standby has been upgraded successfully to the new version, the current active is reloaded. After both the
units are upgraded to the new version, the failover pair or cluster upgrade is marked successful.
Note During the current active reload and until the standby ASA takes over, the traffic going through
the failover pair will be impacted.
There are restrictions for image upgrade in failover ASA pair. We recommend that, while performing
image upgrades on a failover ASA pair or cluster using Image Manager, you ensure the following
restrictions are satisfied:
• The two units in a failover configuration should have the same major (first number) and minor
(second number) software version.
• Maintenance Release: You can upgrade from any maintenance release to any other maintenance
release within a minor release. For example, you can upgrade from 7.0(1) to 7.0(4) without first
installing the maintenance releases in between.
• Minor Release: You can upgrade from a minor release to the next minor release. You cannot skip
a minor release. For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0 directly to 7.2
is not supported for zero-downtime upgrades; you must first upgrade to 7.1
• Major Release: You can upgrade from the last minor release of the previous version to the next
major release. For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor
version in the 7.x release.
How does Image Manager update images on an ASA cluster?
Image updates follow the procedure previously established for hitless upgrades that ensures that all
members of a cluster are upgraded to a new version in a single user operation without affecting traffic
flow. During an image upgrade:
• Slave cluster members are first loaded with the new image from the master. Images are copied to all
members of a cluster while being connected only to the master. Such propagation through a cluster
does not require switchovers of each device to master status and, thereby, minimizes traffic
disruption.
• Configuration is changed on the master to add the boot command to load with the new image. The
configuration, once changed on the master, automatically gets synced on all the slave units.
• All the slave cluster members reboot with the new image sequentially via the cluster master.
• All the slave cluster members come online and rejoin the cluster.
• The cluster master is then made into a slave (with the next slave member taking over the cluster
master role).