Failover pix upgrade

Unanswered Question
Feb 22nd, 2008
User Badges:

Am upgrading a production pair (failover pair) of Pix 525 to 6.3(5125) in next few days. (Also am rationalising exisiting rulebase). Any caveats on doing this upgrade with a failover pair? Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pjhenriqs Fri, 02/22/2008 - 03:11
User Badges:

Just a tip on this... you've probably thought about it yourself already.

Be careful with the copying of the images if you are doing the upgrade on a live solution. As soon as you copy the image to one of the firewalls the failover no longer exists (because it needs the same image on both of them). I would advise you to plan this very carefully if you are doing it remotely.

abinjola Fri, 02/22/2008 - 05:53
User Badges:
  • Cisco Employee,

hey Peter,

Follow this procedure and you are safe :

1)Power off Primary (this causes Secondary to become active)

2)Disconnect all cables from Primary (including failover cable)

3)Power on Primary and attach a PC with a tftp server on it

4)Use "copy tftp flash" to upgrade the Primary

5)Reload Primary and verify the new version, config... etc...

6)Power off Primary

Reconnect all cables back to the Primary

7)Quickly power off Secondary, and then immediately Power on Primary

- Note: This is where your downtime will occur while the Primary is booting

Once the Primary is up it will be Active, and passing traffic

8)Repeat steps 2 - 7, but for the Secondary PIX

Power on the Secondary, it will come up as Standby

9)Both PIXes are now running the upgraded version and back to normal operation.

This completes the upgrade process.

marksenteza Wed, 02/27/2008 - 06:24
User Badges:

Hello Peter,

I recently (weekend before last) upgraded our 535 firewall failover pair to 7.2 and used the steps as specified by Abinjola. And it went on without too much of a problem.

Goes without saying, to remember to backup your current config just in case.

In my case, the only issue i had was space on the device, so i had to delete the existing ASDM image from flash first, reloaded the firewall, then run the copy tftp flash. Once i verified that that was working fine, i then got rid of the old firmware image from flash too.

You will also need to copy a new ASDM image to work with the new firmware you are upgrading to.


This Discussion