Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
3
Replies

Issue when upgrading failover pair

mjsully
Level 1
Level 1

‎07-21-2009 05:04 AM - edited ‎03-11-2019 08:57 AM

Last week I had to upgrade a pair of PIX 515E's running active/standby failover and it did not go as expected. I was going from 7.24(18) to 7.24(30). I uploaded the image to the flash on each, and set the boot parameter. I then rebooted the secondary/standby and it came back up fine. At that point I made the secondary the active and then rebooted the primary/standby, however it did not come back up correctly. A "show failover" from the secondary/active indicated it was in a failed state. Both firewalls were at a remote location so getting console access was not an option at the time. Users started reporting issues with traffic getting dropped with the connections that flowed through this pair, and it became evident that both firewalls thought they were active. I ended up rebooting the secondary/active, and it cleared the problem.

I've read some vague documentation that says you can upgrade with no downtime if you are moving from a certain code or release to another, but I can't find anything specific. I've got others telling me that I should have rebooted both at the same time, but I've never had to do that in the past, and it seems a little dangerous to me, particularly with most of the firewalls we support are at remote locations.

Any thoughts, experiences with upgrading pix's, or pix's vs asa's? I've gone from 7.24(18) to 7.24(30) on other firewall pairs just fine, maybe this one was just a fluke. But I'd like to get an idea of how other people approach these upgrades.

thanks

Labels:
0 Helpful
3 Replies 3

rob.stoop
Level 1
Level 1

‎07-21-2009 10:00 AM

you did the right thing. Never done this on a pix but on a ASA you should do it your way

0 Helpful

slug420
Level 1
Level 1

‎07-21-2009 10:59 AM

i think your mis-step was upgrading from 6.3(5) to 7.x

7.x is crap.

Unexpected behavior should now be expected.

0 Helpful

dhalevi
Level 1
Level 1

‎09-18-2009 01:48 AM

Performing Zero Downtime Upgrades for Failover Pairs

The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading both units to the same version as soon as possible.

Table 42-1 shows the supported scenarios for performing zero-downtime upgrades on a failover pair.

Table 42-1 Zero-Downtime Upgrade Support

Type of Upgrade

Support

Maintenance Release

You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 7.0(1) to 7.0(4) without first installing the maintenance releases in between.

Minor Release

You can upgrade from a minor release to the next minor release. You cannot skip a minor release.

For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0 directly to 7.2 is not supported for zero-downtime upgrades; you must first upgrade to 7.1.

Major Release

You can upgrade from the last minor release of the previous version to the next major release.

For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1053398

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card