PIX upgrade from 6.3(5) to 7.2(2)

Unanswered Question
Feb 1st, 2007

I have a pair of 515e devices configured in failover. The system has been working fine, however I tried to upgrade from 6.3(5) to 7.2(2) using Monitor mode, as I have PDM installed.

The problem is that whenever I enter monitor mode and apply an IP address to the inside interface, I have problems keeping a reliable connection to the TFTP server.

From Montior mode I enter the folowing commands:

Interface 1



At this point, I try to ping the TFTP server at and my results are varied. Return success rate is typically 20-60%. On a rare attempt I can get 100%.

Since this is a failover configuration, I don't want to enter the IP address for this interface that it would normally use while in service, as this IP is now running on the standby PIX. Normally, I would think that there were some network issues happening, however the same network cable, switch port and switch port settings are in use during the upgrade attempt as are in use during production. Is there something different going on with the network connection in monitor mode vs normal mode? During the upgrade attempt, I noticed that the switch port this interface connects to starts getting Receive Drop errors that don't occur while the device is in production.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
zulqurnain Sun, 02/04/2007 - 11:00

hello bthibode,

i have sort of a similar case, except a bit differnet that one of my junior network administrator upgraded our 515E to version 7.0(2) from 6.3(5) not knowning that it was with 32MB and 7 version above requires 64MB. now when ever i try to downgrade it to 6.3(5) version from ROMMON, right after the final stage of downloading the image from TFTP server it fails and keeps rebooting with message something like

"insuffient memory"

now is there any other way of fixing the problem and restoring it back old image.

bthibode Sun, 02/04/2007 - 11:38

I've got this same issue in my lab right now. The standard answer is RMA the PIX. I've tried quite a few different things and still cannot recover my PIX. Maybe someone else will be able to help you with this specific question. Please rate if my last post helped.


zulqurnain Sun, 02/04/2007 - 21:27

hello Bryan,

so i guess the only solution i am left with is to put addtional 32MB and boot it and use the downgrade command :(

i which there could be some other less expensive solution and straight forward

Wizzle Sun, 02/11/2007 - 17:45

Hey zulqurnain,

I did the same thing also. All you need to do is get a spare 32MB to upgrade the memory to 64MB for the Pix 7.0(2) to boot. From there you can just run the downgrade. You can then remove the 32MB and your pix would boot fine.

kmkrause2 Tue, 02/06/2007 - 06:33

Thanks, I had never noticed the distinction between the 515 and 515e in the documentation before. What you posted in the link was the doc that I had used when planning the upgrade. I'll give this a try tomorrow morning and see what happens. Thanks to all for the response.


kmkrause2 Wed, 02/07/2007 - 06:17

Thanks! Upgrading in normal mode with a failover configuration was much less confusing and the tftp issue was gone as well.

FYI, for all those who may be having a problem with VPN and NAT translation (packets in being decrypted but then dropped instead of being passed through to the internal host), upgrading from 6.35 to 7.22 resolved the issue.

zaballa805 Wed, 02/07/2007 - 16:37


we're also planning to upgrade a pix v6.3.

Did you have to upgrade from 6.3 to 7.0 first?

then from 7.0 to 7.1? and then 7.1 to 7.2?

I'm reading the Release notes for 7.2 and it seems there's no direct upgrade path from 7.0 to 7.2

I'm using this link as a guide.

1. Guide for Cisco PIX 6.2 and 6.3 Users pgrading to Cisco PIX Software Version 7.0.


2. Relase notes for 7.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_72/rel_note/pixrn72.pdf

bthibode Wed, 02/07/2007 - 16:41

You have to upgrade from 6.3 to 7.0. After that you can hop around in 7.x til your heart's content :-)

kmkrause2 Thu, 02/08/2007 - 06:36

That is not correct. I upgradded from 6.3(5) directly to 7.2(2). Previously on another PIX, I upgrade from a 6.2(2) straight to 7.2(2) all with no version issues.


bthibode Thu, 02/08/2007 - 07:23


I;m glad you've done this once. I do this at least 3 times a week on the TAC. Best practice is to upgrade to 7.0 from 6.3. If you had success using an unsupported method of upgrading, I'm happy for you. Please be aware that this is unsupported so if you would have run into any issues, you might have been on your own. Please don't contradict best practice documents. They are there for a reason.



zaballa805 Thu, 03/08/2007 - 10:35

Got the upgrade done. Migration of the commands was seamless. i had to remove some commands before upgrade ( e.g. pptp , vpdn, etc). No problem reboooting. Even the VPN Xauth was automatically disabled ( this was said to have been enabled by default)

Upgrade was almost seamless until we ran into a problem with the mail system. we were able to send but were unable to receive. i thought it was due to the esmtp. but could not get it running. we got the TAC involved and the tech told us it was due to the new MSS ( Max Segment Size) feature.

he set up the service policy to allow packets that exceed the MSS.


frecarlen Sun, 02/18/2007 - 11:44


I am about to upgrade a 515E with PDM from 6.3 to 7 and can't see any other info that I have to do it via monitor-mode and not basic. Am I missing something here? The link you provided says nothing about 515E and basic, as far as I have a redaing-problem...

Can you explain?


bthibode Mon, 02/19/2007 - 06:02


You don't have a reading problem. You do, however need to know how cisco documentation is laid out. Take this sentence for example:

"If you are upgrading from a PIX 515 or a PIX 535 with PDM already installed, you must upgrade from monitor mode."

This sentence says nothing about the PIX 515E. The 515 and 515E are two different devices, thus are always mentioned seperatly. Take this sentence for example:

"The PIX Security appliance Version 7.0 runs on PIX 515/515E, PIX 525, and PIX 535, but is not supported on the PIX 501 or PIX 506/506E platforms at this time."

Notice that the 515 and 515E are both mentioned. In the previous quote, only the 515 is mentioned. This is how cisco writes their documents.

Bottom line: you can upgrade a 515E from either basic or monitor mode. I recommend basic because its, well, basic :o)

You will find the upgrade instructions here:


Please rate if this helps!



This Discussion