Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM upgrade form 1.1(3) to 2.3(3)

We recently had one of our (failover pair) FWSM RMAed. The new FWSM has 2.3(3) and the existing production FWSM has 1.1(3).

I want to upgrade the current production FWSM to be the same software level as the new module in order to enable failover.

What is the steps to achieve this ?



Re: FWSM upgrade form 1.1(3) to 2.3(3)


You need to re-configure the switch where the new RMA-ed blade resides with all necessary configuration, i.e firewall vlan group, which vlan need to sit behind FWSM and so on. This is more or less similar to the current switch-fwsm config.

In the new blade, you need to change/use different vlan interface name (under nameif , reserved same vlan ID but use different names). Configure other parameters including failover LAN interface & vlan, similar to the current/production module. Set the blade as secondary failover unit.

You need to have 2 sessions to both FWSM before activating the new blade as active FWSM.

When the new FWSM module is ready and switch has been configured accordingly, go to production FWSM, disable its role as primary FWSM (use "no failover active"). At the same time, go to the session on new FWSM, immediately set this blade as the new/active firewall (use "failover active"). This process helps to minimize downtime during the upgrade as well as allows you to put the new blade in production.


- Define a separate VLAN as a firewall VLAN (remove the old firewall VLAN definitions) on the switch with the replacement FWSM.

- Plug a PC into the Catalyst 6000 and assign the switch port to the same VLAN that you just defined.

- Session to the FWSM and enable an interface.

- Use the PC as a TFTP server to download the software. Ensure that you use the same version of code as the current Active device.

- Configure basic failover settings on the FWSM and restore the old firewall VLANs and the failover interface (remove the interface configured for TFTP). At this time, configuration replication occurs and the FWSM becomes the backup.

For more details, check the:



New Member

Re: FWSM upgrade form 1.1(3) to 2.3(3)

Hi AK,

Thanks for the quick guide. I think I have that nailed down. My other concern is, how complicated is it to upgrade the current production FWSM which is 1.1(3) to 2.3(3)?

- Can I just session into the 1.1(3) module and issue "copy tftp flash" with the new 2.3(3) software.

- Is there any other condition that needs to be met before I can upgrade the 1.1(3) module? Any pitfalls or gotcha?


Re: FWSM upgrade form 1.1(3) to 2.3(3)

Yes, basically you can do that after the new blade is running fine and take over the firewall operation.

Session into the old blade from switch CLI/console. Make sure the TFTP PC/server is connected to a switchport belongs to a VLAN defined as inside/dmz in FWSM. Basically do the same thing when you defined which Vlan will sit behind FWSM.

The Vlan can be a temp vlan that is used purposely for the image upgrade only.