Skip to main content



Cisco Defense Orchestrator

Upgrade ASA and ASDM Images in an Active/Standby Pair

Before you Upgrade

Before you upgrade your pair of ASAs in active/standby failover mode, review the prerequisites below. If you need more information about how ASAs are configured and work in failover mode, see Failover for High Availability in the ASA documentation. 

youtube.png Want to see a demo? Watch a screencast of this procedure.


  • Review ASA and ASDM Upgrade Prerequisites for requirements and important information about upgrading ASA and ASDM images.
  • The primary (active) and secondary (standby) ASAs are configured in active/standby failover mode.
  • The primary ASA is the active device in the active/standby pair. If the primary ASA is inactive, CDO will not perform the upgrade.
  • The primary and secondary ASA software versions are the same. 


This is the process by which CDO upgrades the active/standby pair of ASAs:

  1. CDO downloads the ASA and ASDM images to both ASAs.

Note: Users have the choice of downloading ASA and ASDM images but not upgrading immediately. If the ASA and ASDM images were downloaded previously, CDO will not download them again; CDO continues the upgrade workflow with the next step.

  1. CDO upgrades the secondary ASA first.
  2. Once the upgrade is complete and the secondary ASA returns to the "Standby-Ready" state, CDO initiates a failover so that the secondary ASA becomes the active ASA.
  3. CDO upgrades the primary ASA, which is now the current standby ASA. 
  4. Once the primary ASA returns to the "Standby-Ready" state, CDO initiates a failover so that the primary ASA becomes the active ASA.

Warning: Upgrading devices that have self-signed certificates may experience issues; see New Certificate Detected for more information.

Upgrade ASA and ASDM Images in an Active/Standby Pair

  1. Log in to CDO.
  2. Click Devices & Services.
  3. Select the device you want to upgrade. 
  4. In the Device Actions pane, click Upgrade.

Notice that the failover mode of the device is Active/Standby:


  1. On the Device Upgrade page, follow the instructions presented to you by the wizard. 

Note: When upgrading your ASAs and ASDMs to images stored in your own repository, select Specify Image URL and enter the URL of the ASA or ASDM image in the Software Image URL field. You can retrieve the images from your repository using any of these protocols: FTP, TFTP, HTTP, HTTPS, SCP, and SMB. See Custom URL Upgrade for URL syntax information.

  • Was this article helpful?