PIX 535 PDM UR Upgrade procedure from 6.3(1) to 7.2(3) ?

ppoiron · ‎11-29-2007

I planned to upgrade to PIX 535 PDM in failover LAN from 6.3(1) to 7.2(3).

I saw in some Cisco documents that :

1) monitor mode is required for PIX 535 with PDM installed

2) migration should be done step by step (ie: 6.3(1) -> 6.3(5) -> 7.0(1) -> 7.1(2) -> 7.2(3)

3) activation-key is saved during migration

4) PDM is not supported in 7.0. So, installation of ASDM is needed from 6.3 to 7.0

5) PIX image and ASDM image must be compatible

I'm searching somebody who has already done this kind of migration to know if this scenario is correct or if there is another one quicker to realize.

Thanks,

Patrice

srue · ‎11-29-2007

This really depends on your knowledge of 7.x OS. Personally, I found it much easier to wipe the config, upgrade the device, and start from scratch. Well, it's not really starting from scratch. Most commands from 6.3 can copy/paste into 7.x. Vpn configs are a little different and conduits are no longer supported.

How much downtown can you afford, and do you happen to have a 'spare' 535? I guess since it's a failover set, you could upgrade one of them from scratch. set that as your new 7.x primary, then upgrade the other one. But you would probably need to do it all in the same day.

ppoiron · ‎11-29-2007

I'm not very comfortable with 7.x commands and as many of them have changed or disappeared, it would be better for me to use the upgrade steps and not starting from scratch.

If I try to upgrade directly from 6.3(1) to 7.2(3), what kind of problems may I encountered (activation-key, PDM, CA, ...) ?

Also, the downtown must be minimalize even if I have a failover configuration.

Cisco docs are not so cleared about migration for 535 with PDM in failover:

- is monitor mode step mandatory ?

- on which PIX to begin (Active or Standby)?

- what about PDM migration to ASDM ?

- what about downgrade procedure in 6.3 (in monitor mode or not) ?

...