Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Failover pix upgrade

Am upgrading a production pair (failover pair) of Pix 525 to 6.3(5125) in next few days. (Also am rationalising exisiting rulebase). Any caveats on doing this upgrade with a failover pair? Thanks

4 REPLIES
New Member

Re: Failover pix upgrade

Peter-net

I think the only issue is memory to 128MB for Unristricted. Here is a helpful site:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html

rlacap

New Member

Re: Failover pix upgrade

Just a tip on this... you've probably thought about it yourself already.

Be careful with the copying of the images if you are doing the upgrade on a live solution. As soon as you copy the image to one of the firewalls the failover no longer exists (because it needs the same image on both of them). I would advise you to plan this very carefully if you are doing it remotely.

Cisco Employee

Re: Failover pix upgrade

hey Peter,

Follow this procedure and you are safe :

1)Power off Primary (this causes Secondary to become active)

2)Disconnect all cables from Primary (including failover cable)

3)Power on Primary and attach a PC with a tftp server on it

4)Use "copy tftp flash" to upgrade the Primary

5)Reload Primary and verify the new version, config... etc...

6)Power off Primary

Reconnect all cables back to the Primary

7)Quickly power off Secondary, and then immediately Power on Primary

- Note: This is where your downtime will occur while the Primary is booting

Once the Primary is up it will be Active, and passing traffic

8)Repeat steps 2 - 7, but for the Secondary PIX

Power on the Secondary, it will come up as Standby

9)Both PIXes are now running the upgraded version and back to normal operation.

This completes the upgrade process.

New Member

Re: Failover pix upgrade

Hello Peter,

I recently (weekend before last) upgraded our 535 firewall failover pair to 7.2 and used the steps as specified by Abinjola. And it went on without too much of a problem.

Goes without saying, to remember to backup your current config just in case.

In my case, the only issue i had was space on the device, so i had to delete the existing ASDM image from flash first, reloaded the firewall, then run the copy tftp flash. Once i verified that that was working fine, i then got rid of the old firmware image from flash too.

You will also need to copy a new ASDM image to work with the new firmware you are upgrading to.

130
Views
0
Helpful
4
Replies
CreatePlease to create content