Last week I had to upgrade a pair of PIX 515E's running active/standby failover and it did not go as expected. I was going from 7.24(18) to 7.24(30). I uploaded the image to the flash on each, and set the boot parameter. I then rebooted the secondary/standby and it came back up fine. At that point I made the secondary the active and then rebooted the primary/standby, however it did not come back up correctly. A "show failover" from the secondary/active indicated it was in a failed state. Both firewalls were at a remote location so getting console access was not an option at the time. Users started reporting issues with traffic getting dropped with the connections that flowed through this pair, and it became evident that both firewalls thought they were active. I ended up rebooting the secondary/active, and it cleared the problem.
I've read some vague documentation that says you can upgrade with no downtime if you are moving from a certain code or release to another, but I can't find anything specific. I've got others telling me that I should have rebooted both at the same time, but I've never had to do that in the past, and it seems a little dangerous to me, particularly with most of the firewalls we support are at remote locations.
Any thoughts, experiences with upgrading pix's, or pix's vs asa's? I've gone from 7.24(18) to 7.24(30) on other firewall pairs just fine, maybe this one was just a fluke. But I'd like to get an idea of how other people approach these upgrades.
Performing Zero Downtime Upgrades for Failover Pairs
The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading both units to the same version as soon as possible.
Table 42-1 shows the supported scenarios for performing zero-downtime upgrades on a failover pair.
Table 42-1 Zero-Downtime Upgrade Support
Type of Upgrade
You can upgrade from any maintenance release to any other maintenance release within a minor release.
For example, you can upgrade from 7.0(1) to 7.0(4) without first installing the maintenance releases in between.
You can upgrade from a minor release to the next minor release. You cannot skip a minor release.
For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0 directly to 7.2 is not supported for zero-downtime upgrades; you must first upgrade to 7.1.
You can upgrade from the last minor release of the previous version to the next major release.
For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :