70-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter70 Using Image Manager
Getting Started with Image Manager
Failover configuration—Two identical ASA devices configured to failover for high availability.
They can be configured to be in Active/Active or Active/Standby failover. Refer to
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_overview.html.
Image update on an Active/Active failover pair is not supported in Image Manager. In order to use
Image Manager to update the images on an Active/Active failover pair, the Active/Active failover
pair has to temporarily be converted to Active/Standby by making all the failover groups active on
one unit, and the corresponding failover groups standby on the other unit. After upgrade, you can
convert the failover pair back to Active/Active.
Cluster configuration—Multiple ASAs (up to 8 ASAs) can be grouped together as a single logical
unit called a cluster for achieving increased throughput and redundancy. The purpose of clustering
devices is to simplify manageability and to increase processing speed. By using clusters you are able
to scale to a multitude of simultaneous connections that work together to load balance the
connections. Clustering feature has been introduced starting from ASA version 9.0(1). For more
information see
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_cluster.html.
Note Clustering is only supported on ASA 5580 and ASA 5585.
Starting from CSM 4.4, Security Manager supports Clustering. In Configuration manager and Image
Manager, all the devices/members in a cluster or a failover pair are managed as a single device. That is,
when you change the configuration on a cluster’s master device, the change is automatically made to all
the devices in the cluster. Similarly, Image Manager updates image on each of the physical unit that is
part of failover or cluster in a single operation.
Image Manager Supported Image Types
Image Manager supports the following types of images:
ASA System software
ASDM image
VPN images [includes Cisco Secure Desktop (CSD), AnyConnect, and Hostscan]
SSLVPN Plug-in images (For example: RDP, SSH, ICA, and others)
Image Manager completely manages the ASA system software and the ASDM images on the ASA
devices, i.e., it performs loading of the image, activating the image by modifying configuration, and even
reloading the device if required to complete the image upgrade process.
Image Manager does not support the ASA–CX images. This includes both the system images, for
example asacx-sys-9.1.1-1.pkg, and also the boot images, for example asacx-5500x-boot-9.1.1-1.img.
Using Image Manager, you cannot add any CX images to the Image Manager repository and cannot push
any CX images to the device .
Handling of SSL VPN Images
Image Manager only reliably copies SSL VPN images to the ASA device. No configuration or activation
commands are added for SSL VPN images by Image Manager. The configuration of the images must still
be done using Configuration Manager.
The following files are not managed in Image Manager and have to be configured and deployed from
Configuration Manager as in earlier versions of Security Manager:
CSD Configuration XML