Workflow for upgrading an ASA high availability pair

The following workflow describes how Secure Firewall Management Center upgrades ASA devices in an Active/Standby high availability pair.

1. Download images to both devices

   Secure Firewall Management Center downloads the ASA and ASDM images to both devices in the high availability pair.

   Note	Users have the choice of downloading ASA and ASDM images but not upgrading immediately. If the ASA and ASDM images were downloaded previously, Security Cloud Control will not download them again; Security Cloud Control continues the upgrade workflow with the next step.

2. Secure Firewall Management Center upgrades the standby device

   The secondary ASA (standby device) is upgraded and rebooted while the primary ASA continues to process traffic.

3. Verify standby readiness

   After reboot, the upgraded device enters the Standby-Ready state.

4. Initiate failover

   Secure Firewall Management Center initiates a failover so that the upgraded device becomes the active ASA.

5. Upgrade the remaining device

   The original primary ASA, which is now the standby device, is upgraded and rebooted.

6. Restore the original active device

   After the device returns to the Standby-Ready state, Secure Firewall Management Center initiates another failover so that the original primary ASA becomes active again.

This process ensures that one device remains active throughout the upgrade, minimizing service interruption.

Warning

Upgrading devices that have self-signed certificates may experience issues; see New Certificate Detected for more information.