cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
384
Views
0
Helpful
4
Replies

Failover pix upgrade

peter-net
Level 1
Level 1

Am upgrading a production pair (failover pair) of Pix 525 to 6.3(5125) in next few days. (Also am rationalising exisiting rulebase). Any caveats on doing this upgrade with a failover pair? Thanks

4 Replies 4

rlacap
Level 1
Level 1

Peter-net

I think the only issue is memory to 128MB for Unristricted. Here is a helpful site:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html

rlacap

pjhenriqs
Level 1
Level 1

Just a tip on this... you've probably thought about it yourself already.

Be careful with the copying of the images if you are doing the upgrade on a live solution. As soon as you copy the image to one of the firewalls the failover no longer exists (because it needs the same image on both of them). I would advise you to plan this very carefully if you are doing it remotely.

abinjola
Cisco Employee
Cisco Employee

hey Peter,

Follow this procedure and you are safe :

1)Power off Primary (this causes Secondary to become active)

2)Disconnect all cables from Primary (including failover cable)

3)Power on Primary and attach a PC with a tftp server on it

4)Use "copy tftp flash" to upgrade the Primary

5)Reload Primary and verify the new version, config... etc...

6)Power off Primary

Reconnect all cables back to the Primary

7)Quickly power off Secondary, and then immediately Power on Primary

- Note: This is where your downtime will occur while the Primary is booting

Once the Primary is up it will be Active, and passing traffic

8)Repeat steps 2 - 7, but for the Secondary PIX

Power on the Secondary, it will come up as Standby

9)Both PIXes are now running the upgraded version and back to normal operation.

This completes the upgrade process.

zeu7
Level 1
Level 1

Hello Peter,

I recently (weekend before last) upgraded our 535 firewall failover pair to 7.2 and used the steps as specified by Abinjola. And it went on without too much of a problem.

Goes without saying, to remember to backup your current config just in case.

In my case, the only issue i had was space on the device, so i had to delete the existing ASDM image from flash first, reloaded the firewall, then run the copy tftp flash. Once i verified that that was working fine, i then got rid of the old firmware image from flash too.

You will also need to copy a new ASDM image to work with the new firmware you are upgrading to.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: