Also check for certs and licenses
Check what IPS modules are running active ASA
show modules
You may need to shutdown/uninstall the old unused IPS
Download the new images from the Cisco website
Grab the latest asdm/anyconnect while you are there
ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall
ciscoasa# reload
ciscoasa# show modules
Grab the latest asdm/anyconnect while you are there
Check ASA and ASDM compatibility
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#reference_upj_nkl_x4b
Connect to the device with the console cable and putty logging enabled
Copy images to the device
TFTP the images to the Cisco device, you can use a laptop and the tftpd server
Alternatively if you have ssh access to the ASA you can run the command
On the ASA run "ssh scopy enable"
From your PC run pscp.exe asa931-smp-k8.bin username@100.100.100.100:asa931-smp-k8.bin
Its also possible to put the images on a fat(msdos) formated USB drive and plug into the ASA and copy from there.
Verify the IOS image
On the ASA run verify disk0:/asa825-k8.bin
Take a screen shot of output
Check and update boot settings
sh boot
BOOT variable = disk0:/asa861-2-smp-k8.bin
Current BOOT variable = disk0:/asa861-2-smp-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
You can see what image is set to boot. You can copy this image off for safe keeping if you want
The the following command will copy the new ASA image from flash to disk
boot system flash:/filename-of-new-ASA-image.bin
eg
boot system disk0:/asa914-smp-k8.bin
Verify the IOS image
On the ASA run verify disk0:/asa825-k8.bin
Take a screen shot of output
Check and update boot settings
sh boot
BOOT variable = disk0:/asa861-2-smp-k8.bin
Current BOOT variable = disk0:/asa861-2-smp-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
You can see what image is set to boot. You can copy this image off for safe keeping if you want
The the following command will copy the new ASA image from flash to disk
boot system flash:/filename-of-new-ASA-image.bin
eg
boot system disk0:/asa914-smp-k8.bin
Remove old boot value
no boot system disk0:/asa910-smp-k8.bin
The following command will copy the new ASDM image from flash to disk
asdm image flash:/filename-of-new-ASDM-image.bin
eg
asdm image disk0:/asdm-731-101.bin
Save the config
wr mem
Reload the device to apply the new image
reload
You can watch the console for any error/warning messages. The ASA should boot up with the new image without issue. If there are issues you can roll back to the old image and call cisco support with your log files.
Don't forget to upload images to the secondary device and reload that too
The first thing we need to confirm is the model number and the software version currently running on the ASA ? If its 8.2 or lower that complicates things. A RAM upgrade might be required depending on the model. If its 8.2 we will most likely have to re-write the config by hand but it depends on what is configured. This is because Cisco made major changes to how NAT works on the ASA from 8.2 -> 8.3. See here. If the ASA is running 8.3 or later we should be good to go. Below is an outline of steps.
Preparation
Ensure we have support with Cisco and access to an account that can log a call if required. Record the serial number from the device.
Steps
Save the config.
Reload the ASA to apply the new image (your ASA will failover)
Watch the console output as its boots up make a note of any errors.
Once the image is applied, make sure the updated ASA is active, failover to it.
Ensure everything is working as expected on the new software version. You will need to run your systems test plan here, internet access, VPNs, anyconnect etc.
Once confirmed apply the new image on the other ASA and reload that.
Failover and repeat tests to ensure both ASA are functioning as expected on the new software version.
Ensure you have saved the config “wr”.
Post upgrade tasks
Compare your base line, you will want to see active connections/xlates happening. The numbers won’t be as high outside business hours. We will want to see VPNs up. You might need to generate some traffic on the LAN to get VPNs to come up.
Check your monitoring and ensure everything is working as expected.
The following command will copy the new ASDM image from flash to disk
asdm image flash:/filename-of-new-ASDM-image.bin
eg
asdm image disk0:/asdm-731-101.bin
Save the config
wr mem
Reload the device to apply the new image
reload
You can watch the console for any error/warning messages. The ASA should boot up with the new image without issue. If there are issues you can roll back to the old image and call cisco support with your log files.
Don't forget to upload images to the secondary device and reload that too
The first thing we need to confirm is the model number and the software version currently running on the ASA ? If its 8.2 or lower that complicates things. A RAM upgrade might be required depending on the model. If its 8.2 we will most likely have to re-write the config by hand but it depends on what is configured. This is because Cisco made major changes to how NAT works on the ASA from 8.2 -> 8.3. See here. If the ASA is running 8.3 or later we should be good to go. Below is an outline of steps.
Preparation
Ensure we have support with Cisco and access to an account that can log a call if required. Record the serial number from the device.
Ask all users to log out of anyconnect before the maintenace window
Identify a system test plan. How do you use your ASA ? Internet access, VPN’s with third parties, remote access VPNs (anyconnect). Web server NAT’s to public IP’s etc.
Connect to the ASA via the console cable with putty logging enabled. Ensure console logging is enabled on the ASA.
Save the running config. Backup the running config, IOS/ASDM and anyconnect images.
Failover the ASA to ensure the secondary ASA is working as is and running the same software version as primary.
Download the latest IOS/ASDM and anyconnect images from Cisco and upload to both ASA’s primary and secondary.
Verify the IOS image.
Just before starting the upgrade, take a basic base line:
Identify a system test plan. How do you use your ASA ? Internet access, VPN’s with third parties, remote access VPNs (anyconnect). Web server NAT’s to public IP’s etc.
Connect to the ASA via the console cable with putty logging enabled. Ensure console logging is enabled on the ASA.
Save the running config. Backup the running config, IOS/ASDM and anyconnect images.
Failover the ASA to ensure the secondary ASA is working as is and running the same software version as primary.
Download the latest IOS/ASDM and anyconnect images from Cisco and upload to both ASA’s primary and secondary.
Verify the IOS image.
Just before starting the upgrade, take a basic base line:
- sh conn count
- sh xlate count
- sh crypto isakmp sa
- sh ver
for use after the upgrade is complete.
If you have a monitoring solution, check for any existing alerts. Take a screenshot of your dashboard for comparison after upgrade is complete.
If you have a monitoring solution, check for any existing alerts. Take a screenshot of your dashboard for comparison after upgrade is complete.
Steps
Save the config.
Reload the ASA to apply the new image (your ASA will failover)
Watch the console output as its boots up make a note of any errors.
Once the image is applied, make sure the updated ASA is active, failover to it.
Ensure everything is working as expected on the new software version. You will need to run your systems test plan here, internet access, VPNs, anyconnect etc.
Once confirmed apply the new image on the other ASA and reload that.
Failover and repeat tests to ensure both ASA are functioning as expected on the new software version.
Ensure you have saved the config “wr”.
Post upgrade tasks
Compare your base line, you will want to see active connections/xlates happening. The numbers won’t be as high outside business hours. We will want to see VPNs up. You might need to generate some traffic on the LAN to get VPNs to come up.
Check your monitoring and ensure everything is working as expected.
Check show ver for licenses applied
Check the anyconnect interface for cert applied
Optionally delete old image files from the ASA. There is usually plenty of space on them but for some older models it can be an issue.
Normally the new software will be consuming more RAM, your monitoring solution might report this. It can be ignored. The upgrade may also change some SNMP values so you might find some checks in your monitoring solution are no longer working and will need to be resolved.
Optionally delete old image files from the ASA. There is usually plenty of space on them but for some older models it can be an issue.
Normally the new software will be consuming more RAM, your monitoring solution might report this. It can be ignored. The upgrade may also change some SNMP values so you might find some checks in your monitoring solution are no longer working and will need to be resolved.
Sample CLI
*** Before changes take screenshots
sh conn count
sh xlate count
sh crypto isakmp sa
*** Confirm secondary is standby ready
sh failover state
*** Fail over onto secondary
no failover active
*** Set the boot variable
sh boot
boot system disk0:/asa9-12-3-12-smp-k8.bin
*** Set the ASDM variable
sh run | i asdm image
asdm image disk0:/asdm-7122.bin
*** If upgrading any connect
Log off all anyconnect users (may need to disable anyconnec too)
vpn-sessiondb logoff anyconnect
webvpn
no enable OUTSIDE
no anyconnect enable
vpn-sessiondb logoff anyconnect
no anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
no anyconnect image disk0:/anyconnect-linux64-4.7.01076-webdeploy-k9.pkg 2
no anyconnect image disk0:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 3
sh vpn-sessiondb anyconnect
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.9.04043-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.9.04043-webdeploy-k9.pkg 3
anyconnect enable
You can delete the old anyconnect file off the ASA if you get strange issues with sessions held open
show webvpn anyconnect
*** Save config and Reload the secondary
wr
reload
*** Wait 10 minutes
*** check for the secondary to reboot
sh standby
waiting it to show as standby ready
*** Fail back over to secondary (new software)
no failover active
*** basic tests
ping 8.8.8.8
sh dns (if anysetup)
sh conn count
sh xlate count
sh crypto isakmp sa
anyconect portal login and check version
*** Customer tests
If all is good failback to primary and complete same steps to install new software on primary
no failover active (check if boot var is set)
connect to vpn.domain.com etc check for any cert issues
No comments:
Post a Comment