Zero Downtime ASA Upgrade (ASDM)

In the same vein as my last post, this update will take you through the steps of performing a zero downtime upgrade on a HA pair of ASA 5525-X’s, this time via the ASDM GUI.

Take a look here for Cisco’s official documentation, which will be the blueprint for our guide.

  • First, back up your configuration by going to Tools -> Backup Configurations

asdm-update-01asdm-update-02asdm-update-03

  • Download your updated ASDM and ASA software from Cisco.com
  • Click Tools -> Upgrade Software from Local Computer

asdm-update-04

  • We’ll update ASDM first, select ASDM from the drop down box and click Browse Local Files. Navigate to where you downloaded your images and select the new ASDM image then click Upload Image.

asdm-update-05

  • You will receive a prompt asking to set this image as the ASDM image. Click No for now. If we select Yes you will not be able to use ASDM to connect to the secondary unit and upload the new images in the later steps.

asdm-update-06

  • Now let’s update the ASA software. Again, click Tools -> Upgrade Software from Local Computer. Select ASA from the drop down menu and click Browse Local Files. Navigate to where you downloaded your images and select the new ASA image then click Upload Image. Click yes on the prompt.

asdm-update-09asdm-update-10asdm-update-11

  • Open a new ASDM window and connect to the standby ASA IP address. Follow the same steps as above to upload the new ASDM and ASA images. Close the ASDM window for the secondary unit when finished.
  • On the Primary ASDM window click Configuration -> Device Management -> expand System Image/Configuration -> click Boot Image/Configuration. Under ASDM Image File Configuration click Browse Flash and select our new ASDM image we uploaded earlier. Save the configuration.

asdm-update-12asdm-update-13

  • We can now reload the secondary unit to start the upgrade process. Click Monitoring -> Properties -> Failover -> Status. Click Reload Standby.

asdm-update-15

  • Refresh the Failover Status page until the Secondary unit moves from a failed state to standby ready. Make note of the sw rev field. It should reflect the new ASA software version.

asdm-update-16asdm-update-18

  • Force the active unit to failover to standby by clicking the Make Standby button on the Failover Status page. Refresh the Failover Status page to verify the Secondary unit is now the active unit. Now click Reload Standby to reboot the primary/standby unit and complete the upgrade.

asdm-update-19

  • Exit ASDM and relaunch. You should now see the updated ASDM and ASA software versions under Device Information.

asdm-update-20

Zero Downtime ASA Upgrade (CLI)

So you have stateful failover configured on your pair of Cisco ASAs and need to upgrade ASDM or the os? Maybe a critical security vulnerability was discovered with the software and you need to upgrade them ASAP. With stateful failover, we can perform a zero downtime upgrade on our ASAs to minimize end user disruption. Below are the steps I used to upgrade a pair of ASA 5525-X’s using the command line interface. You can find Cisco’s documentation for upgrading an Active/Standby Failover Configuration here.

  • First, back up your current configuration!

  • Download your updated ASDM and ASA software from Cisco.com
  • Copy new ASA operating system to active and standby units.

  • Copy new ASDM software to active and standby units.

  • Verify the current boot images, making note of the boot order. Remove the current image and set the config to boot from the newly uploaded image followed by the old image as a back up.

  • Configure the ASA to use the new ASDM image

  • Save your configuration and reload the secondary standby unit.

  • Verify the standby unit is back up and running the new software version.

  • Make the active primary unit the new standy unit

  • You may need to re-establish your SSH connection. Log back into the ASA and verify that the secondary unit is now the active unit. Reload the primary/standby unit, wait a few minutes and verify that both units are now running identical code.

 

And there you have it. If you’d like, after monitoring and verification, you can remove the old ASA and ASDM images from the boot order commands as well as the disk to keep things clean.

 

Configuring Stateful Failover on a Cisco ASA HA Pair

The ASA, Cisco’s Adaptive Security Appliance, has been around for over 15 years and has since become an ubiquitous network security solution, securing networks the world over.

Because it is such a critical device in our networks, it has become best practice to deploy these security appliances in a resilient and highly available configuration.

Currently, Cisco supports Active/Active as well as Active/Standby failover. This article contains a simple example of how to configure Active/Standby stateful high availability on a pair of Cisco ASAs, where one unit acts as the primary ASA and a standby unit becomes active once a failover has occurred. When stateful failover is enabled, connection states are continuously passed between the active and standby units keeping session information available to the new active unit. Please note that both ASAs must be running identical hardware and software versions.

Detailed instructions from Cisco on how to configure Failover can be found here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html

  • Each interface on the primary ASA will need an additional “standby” IP address, for example:

  • Specify failover interface on the primary ASA
  • Configure failover link IP address

  • Configure shared failover key

  • Configure ASA as primary

  • Enable stateful failover

  • Enable failover

  • On the secondary ASA we’ll need to do some similar configuration:

If everything is configured properly you should see some console output regarding configuration replication.

Now verify the status of failover with a show failover:

Creating a Subject Line Disclaimer in Exchange 2010

With ever increasing amounts of spam and spear phishing attacks, many companies today are going out of their way to warn users when an email is received from an external, and potentially unsafe, source. Thankfully the Exchange Management Console makes it fairly straight forward to create transport rules to add disclaimers, re-write subject lines, and even insert html into emails for all types of situations.

Recently I was asked to add an [EXTERNAL] tag to the subject line of all incoming emails from outside the organization. Below are the steps to create a Hub Transport rule to accomplish such a task.

  • Open the Exchange Management Console
  • Navigate to Organization Configuration -> Hub Transport

ex-subject01

  • On the right side of the console click “New Transport Rule…

ex-subject02

  • The New Transport Rule wizard will open. Simply follow the onscreen instructions, entering a name and comment for the rule. Click Next when finished.

ex-subject03

  • Under Conditions, select “from users that are inside or outside the organization” and “sent to users that are inside or outside the organization, or partners.” Click the blue links under Step 2 to change the from users field to “Outside” and the sent to users field to “Inside.” Click Next when completed.

ex-subject04

  • Under actions, check “prepend message subject with string.” Click the blue link next to “string” to edit the subject prefix. Enter the tag that you’d like to appear in the subject line. Click OK and Next.

ex-subject05

  • Under Exceptions click “except when the Subject field matches text patterns.” Click the blue link next to “string” and added the same prefix you added in the previous step. This will prevent multiple subject stamping from occurring when people email back and forth. Click Next.

ex-subject06

  • Click New to create your new transport rule.

ex-subject07

  • Emails from an external source should now have a new tag in the subject line.

ex-subject08