Cisco Secure Firewall 1200防火墙版本升级

背景说明

思科CSF1200系列防火墙升级步骤。本案例使用U盘上传版本镜像。待升级设备为一组HA设备，所有操作在HA act设备上进行， standby设备上无需进行操作。

操作过程

1、准备目标软件版本镜像。提前在思科官网下载目标软件版本镜像 https://software.cisco.com/download/home 。

2、通过U盘上传目标版本镜像至设备。

CSF1200/pri/act# copy disk1:/cisco-asa-csf1200.9.24.1.SPA disk0:
Source filename [cisco-asa-csf1200.9.24.1.SPA]? 
Destination filename [cisco-asa-csf1200.9.24.1.SPA]? 
Copy in 
progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

3、等待软件版本上传完成。

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Verifying file disk0:/cisco-asa-csf1200.9.24.1.SPA...

Writing file disk0:/cisco-asa-csf1200.9.24.1.SPA...

488507760 bytes copied in 28.530 secs (17446705 bytes/sec)

4、检查版本是否上传成功。

CSF1200/pri/act# dir disk0:

Directory of disk0:/

212    drwx  4096         08:40:01 Apr 28 2026  log
539982114  -rw-  131961648    16:49:36 Mar 03 2025  asdm.bin
2      drwx  4096         09:12:22 Nov 27 2025  cores
1610612929  drwx  6            09:11:31 Nov 27 2025  packet-capture
1610612969  -rw-  415084       09:26:35 Apr 28 2026  asa-cmd-server.log
1610612974  -rw-  39           08:00:29 Mar 10 2026  snortpacketinfo.conf
1610612962  drwx  6            02:57:12 Mar 04 2026  packet-tracer
1075721790  drwx  22           02:57:12 Mar 04 2026  smart-log
1610612964  -rw-  4            08:00:34 Mar 10 2026  og_knob_v77
1610612970  drw-  26           02:57:42 Mar 04 2026  coredumpinfo
198    drwx  6            02:56:16 Mar 04 2026  fxos
1074447723  -rw-  1827         02:56:16 Mar 04 2026  cspCfg.xml
1610612972  -rwx  488507760    09:24:24 Apr 28 2026  cisco-asa-csf1200.9.24.1.SPA       <<---可以看到版本已经上传成功

6 file(s) total size: 620886362 bytes
16106127360 bytes total (15279570944 bytes free/94% free)

5、检查是否存在已有启动文件。如有，删除当前启动文件配置。

CSF1200/pri/act# show bootvar 

BOOT variable =             <<---检查是否有启动文件
Current BOOT variable =     <<---检查是否有启动文件
CONFIG_FILE variable = 
Current CONFIG_FILE variable = 

CSF1200/pri/act(config)#no boot system xxx

6、设备目标版本文件为启动文件。

CSF1200/pri/act(config)# boot system disk0:/cisco-asa-csf1200.9.24.1.SPA

执行完上述配置后，主备机会同步进行配置文件的引导。过程如下：
The system is currently installed with security software package 9.23.1, which has:
   - The platform version:  2.17.0.518
   - The CSP (asa) version: 9.23.1
Preparing new image for install...
!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Installation of version 9.24.1 will do the following:
   - upgrade to the new platform version 2.18.0.520
   - upgrade to the CSP ASA version 9.24.1
After installation is complete, ensure to do write memory and reload to save this config and apply the new image.
Finalizing image install process...

Install_status: ready.............................
Install_status: validating-images.....
Install_status: upgrading-system
Install_status: update-software-pack-completed

7、保存配置。

CSF1200/pri/act# wirte
Building configuration...
Cryptochecksum: 731373a6 8d267ed8 b5109479 9fd548f0 

31997 bytes copied in 0.210 secs
[OK]

8、重启standby设备，在act设备上操作。

CSF1200/pri/act# failover reload-standby

执行重启命令后，备机开始重启进程：
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   requested by active unit
Process shutdown finished
Rebooting... (status 0x9)
..
<13>Apr 28 11:09:21 root: FXOS shutdown log started: pid = 1535 cmdline = /bin/sh/sbin/fxos_log_shutdown ####
Apr 28 2026 11:09:22 INIT: Running /etc/rc6.d/K00all_ports_down.sh stop...
Tue Apr 28 11:09:22 UTC 2026 : Checking for running portmgr process...
Tue Apr 28 11:09:22 UTC 2026 : Sending IPC message to portmgr to bring down all ports...
2026 Apr 28 11:09:23.699 PMLOG:PM IPC UTILITY: Shutting down all ports
Apr 28 2026 11:09:23 INIT: Completed /etc/rc6.d/K00all_ports_down.sh stop...
Apr 28 2026 11:09:23 INIT: Running /etc/rc6.d/K09sshd stop...
Stopping OpenBSD Secure Shell server: sshd
done.
Apr 28 2026 11:09:24 INIT: Completed /etc/rc6.d/K09sshd stop...
Apr 28 2026 11:09:24 INIT: Running /etc/rc6.d/K20acpid stop...
Apr 28 2026 11:09:24 INIT: Completed /etc/rc6.d/K20acpid stop...
Apr 28 2026 11:09:24 INIT: Running /etc/rc6.d/K20apache2 stop...
Stopping web server: apache2failed


待设备重启稳定后，升级完成：
The system is currently installed with security software package 9.24.1, which has:
   - The platform version:  2.18.0.520
   - The CSP (asa) version: 9.24.1
Preparing new image for install...
!!!!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Boot system image matches currently installed image.
WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation event.
INFO: Apr 28 11:18:37.495 : Platform does not support monitoring service module
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
WARNING: Trustpoint _SmartCallHome_ServerCA2 is already authenticated.
End configuration replication from mate.

CSF1200/sec/stby> 

9、检查设备版本。

CSF1200/pri/stby# show version    

Cisco Adaptive Security Appliance Software Version 9.24(1)    <<---检查版本已经为目标版本
SSP Operating System Version 2.18(0.520)
Device Manager Version 7.24(1)

Compiled on Mon 01-Dec-25 22:05 GMT by fpbesprd
System image file is "disk0:/installables/switch/fxos-k8-csf1200-lfbff.2.18.0.520.SPA"
Config file at boot was "startup-config"

10、检查HA状态，主备状态正常符合预期。

CSF1200/pri/stby#show failover  state 

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         Ifc Failure              16:04:40 CST Mar 10 2026
Other host -   Secondary
               Standby Ready  Comm Failure             18:08:43 CST Apr 28 2026

====Configuration State===
        Sync Done
        Sync Done - STANDBY
====Communication State===
        Mac set

11、备升级为目标版本，主机还为老版本，设备会提示主备及版本不一致。忽略即可。

************WARNING****WARNING****WARNING********************************
   Mate version 9.24(1) is not identical with ours 9.23(1)
************WARNING****WARNING****WARNING********************************

12、在主机上执行HA主备切换，检查发现主备机已经正切换。

CSF1200/pri/act# no failover active

        Switching to Standby

CSF1200/pri/stby# show failover  state 

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Standby Ready  Ifc Failure              16:04:40 CST Mar 10 2026
Other host -   Secondary
               Active         Comm Failure             18:08:43 CST Apr 28 2026

====Configuration State===
        Sync Done
        Sync Done - STANDBY
====Communication State===
        Mac set

13、升级CSF1200/sec/act设备，参考步骤8-12。升级结束后，主备状态正常。

CSF1200/pri/act# show failover  state 

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         Ifc Failure              16:04:40 CST Mar 10 2026
Other host -   Secondary
               Standby Ready  Comm Failure             18:08:43 CST Apr 28 2026

====Configuration State===
        Sync Done
        Sync Done - STANDBY
====Communication State===
        Mac set