PIX 525 Failover Upgrade from 7.1 to 8.0(3)

Answered Question

I will be upgrading an active standby failover pair of PIX 525s later this week. They are running LAN based and stateful failover. I am planning to use the following procedure:


Step 1 Download the new software to both units, and specify the new image to load with the boot system command.


Step 2 Reload the standby unit to boot the new image by entering the following command on the active unit:


active# failover reload-standby


Step 3 When the standby unit has finished reloading, and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the following command on the active unit.



-------------------------------------------------------------------------------


active# no failover active

Step 4 Reload the former active unit (now the new standby unit) by entering the following command:


newstandby# reload

Step 5 When the new standby unit has finished reloading, and is in the Standby Ready state, return the original active unit to active status by entering the following command:


newstandby# failover active


I couldn't find much information about upgrading a failover pair from 7 to 8. I just want to confirm that this is the proper procedure. Any advice will be much appreciated. Thanks.

Correct Answer by abinjola about 9 years 1 month ago

Well you may do a zero downtime upgrade after codes 7.x



http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mswli

cfg.html#wp1053398

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
abinjola Tue, 03/11/2008 - 09:01
User Badges:
  • Cisco Employee,

After 7.0.x there was zero downtime available for failover upgrade

abinjola Tue, 03/11/2008 - 09:17
User Badges:
  • Cisco Employee,

its good..just that you can't jump directly from from 7.1 to 8.0.3, you need to first go to interim 7.2



rpel Wed, 03/12/2008 - 09:35
User Badges:

Abinjola,

This next week, I would like to upgrade my pix 525 from 6.3(5) to 7.2(3)and asdm-523.

Do i have to upgrade to 7.0(1) first then 7.2(3) ?

Could you please verify and my step by step procedure...

1) power down pix2

2) upgrade pix1 (primary pix)

a) on enable mode

copy tftp flash:image

pix723.bin

reboot

b) on enable mode

copy tftp flahs:asdm

asdm-523.bin

reboot

3) veify the traffic passses

4) power down pix1

5) power on pix2 (secondary)

a) on enable mode

copy tftp flash:image

pix723.bin

reboot

b) on enable mode

copy tftp flahs:asdm

asdm-523.bin

reboot

Do you have tips or tricks, please feel free to add..

thanks

Racy

abinjola Wed, 03/12/2008 - 09:56
User Badges:
  • Cisco Employee,

Gentlemen rate the posts always on a scale of 5 so that we know how helpful was our research/ posts/replies


Racy ..to answer your Query"Do i have to upgrade to 7.0(1) first then 7.2(3) ?

-->yes


follow this seq in steps :-


Power off Primary (this causes Secondary to become active)


Disconnect all cables from Primary (including failover cable)


Power on Primary and attach a PC with a tftp server on it


Use "copy tftp flash" to upgrade the Primary

Reload Primary and verify the new version, config... etc...


Power off Primary


Reconnect all cables back to the Primary

Quickly power off Secondary, and then immediately Power on


- Note: This is where your downtime will occur while the Primary is booting


Once the Primary is up it will be Active, and passing traffic (though after 7.x you have zero downtime available)


Repeat steps 2 - 7, but for the Secondary PIX

Power on the Secondary, it will come up as Standby


Both PIXes are now running the upgraded version and back to normal operation.

This completes the upgrade process.




rpel Wed, 03/12/2008 - 10:56
User Badges:

Thanks Abinjola,


My bad … I forgot to rate the post. You already knew the scale is always 5! It is very helpful.


I would not mind to have some downtime.

So Could I upgrade two steps 7.0(1) and 7.2(3) right way.

Let's say… I upgrade from 6.3(5) to 7.0(1) then reboot pix-primary verify the new version 7.0(1) then upgrade pix-primary again with new code 7.2(3).


I would do the same on secondary pix.

Is it possible? Do you see any harms? If I would like to do two versions upgrade one after another in short period of time.

Once again thank you.

Racy



abinjola Wed, 03/12/2008 - 11:12
User Badges:
  • Cisco Employee,

yes, in a series you may upgrade first to 7.0.1 and then to 7.2.3, no harms



sansari Fri, 05/02/2008 - 11:04
User Badges:

Hi Abinjola,

I am puting in plan to go from 6.4 to 7.2(4). I went through the upgrade procedure for 7.0 and release notes for both 7.2 and 7.0. Just double checking to make sure I do this in one shot. I did not see anything against this.


Also wondering if you have an prefrence to use the boot mode vs. through ios. The upgrade doco for 7.0 does not talk about this.


Also where can I get a copy of the software that reformats the flash please?



jong_r0602 Tue, 05/06/2008 - 06:32
User Badges:

Hi Racy,


Tip!


When upgrading your 6.3 to 7.0 to 7.2, dont forget to path your boot system before reloading your 7.0 to 7.2 version.


Ex:

pix(config)#boot system flash:/pix722.bin


Hope it will help you,


Regards,

Jong


Actions

This Discussion