07-21-2009 05:04 AM - edited 03-11-2019 08:57 AM
Last week I had to upgrade a pair of PIX 515E's running active/standby failover and it did not go as expected. I was going from 7.24(18) to 7.24(30). I uploaded the image to the flash on each, and set the boot parameter. I then rebooted the secondary/standby and it came back up fine. At that point I made the secondary the active and then rebooted the primary/standby, however it did not come back up correctly. A "show failover" from the secondary/active indicated it was in a failed state. Both firewalls were at a remote location so getting console access was not an option at the time. Users started reporting issues with traffic getting dropped with the connections that flowed through this pair, and it became evident that both firewalls thought they were active. I ended up rebooting the secondary/active, and it cleared the problem.
I've read some vague documentation that says you can upgrade with no downtime if you are moving from a certain code or release to another, but I can't find anything specific. I've got others telling me that I should have rebooted both at the same time, but I've never had to do that in the past, and it seems a little dangerous to me, particularly with most of the firewalls we support are at remote locations.
Any thoughts, experiences with upgrading pix's, or pix's vs asa's? I've gone from 7.24(18) to 7.24(30) on other firewall pairs just fine, maybe this one was just a fluke. But I'd like to get an idea of how other people approach these upgrades.
thanks
07-21-2009 10:00 AM
you did the right thing. Never done this on a pix but on a ASA you should do it your way
07-21-2009 10:59 AM
i think your mis-step was upgrading from 6.3(5) to 7.x
7.x is crap.
Unexpected behavior should now be expected.
09-18-2009 01:48 AM
Performing Zero Downtime Upgrades for Failover Pairs
The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading both units to the same version as soon as possible.
Table 42-1 shows the supported scenarios for performing zero-downtime upgrades on a failover pair.
Table 42-1 Zero-Downtime Upgrade Support
Type of Upgrade
Support
Maintenance Release
You can upgrade from any maintenance release to any other maintenance release within a minor release.
For example, you can upgrade from 7.0(1) to 7.0(4) without first installing the maintenance releases in between.
Minor Release
You can upgrade from a minor release to the next minor release. You cannot skip a minor release.
For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0 directly to 7.2 is not supported for zero-downtime upgrades; you must first upgrade to 7.1.
Major Release
You can upgrade from the last minor release of the previous version to the next major release.
For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1053398
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide