Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
5
Helpful
6
Replies

Opinions on upgrading 515E/PIX 6.3 in failover configuration

jamescork
Level 1
Level 1

‎12-20-2005 07:10 AM - edited ‎03-09-2019 01:25 PM

All,

Is anyone aware of a suggested or recommended method for upgrading a pair of 515Es in a failover configuration?

In the light of http://www.cisco.com/warp/public/707/cisco-sa-20051114-ipsec.shtml it seems unlikely I'm the first person to want to do this but I can't see any reference to a procedure on the Cisco site.

Do I have to unplug the failover lead and do them one at a time? Can I just upgrade the primary, causing a failover to secondary, then upgrade the secondary causing a failover back to primary?

Any thoughts/links/experiences appreciated.

Labels:
0 Helpful
6 Replies 6

mpalardy
Level 3
Level 3

‎12-20-2005 08:51 AM

Take a look to this url:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml#failover

Before performing the upgrade, just save the old config from the pix in case of a roll back to the old version.

At the end of the upgrade procedure I also make a reload from both pix at the same time.

There is also a special procedure if you want to upgrade from 6.2 to 7.0

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/pixupgrd.htm

jamescork
Level 1
Level 1
In response to mpalardy

‎12-21-2005 04:04 AM

Many thanks for your help.

Option 1 looks similar to my planned route and shall be the route we take.

Thanks again.

0 Helpful

allgeyer
Level 1
Level 1
In response to mpalardy

‎02-20-2006 08:56 AM

Sorry for warming up this thread.

If I understand right, there is no way of upgrading PIX OS 6.x to PIX OS 6.x+1 w/o having any downtime, right?

--

PIT

0 Helpful

fzamora
Cisco Employee
Cisco Employee
In response to allgeyer

‎02-21-2006 08:52 PM

You are right, there's no way to upgrade without experiencing downtime (at least with 6.x)

Check information about 7.x

Performing Zero Downtime Upgrades for Failover Pairs

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008054dbea.html#wp1053398

Franco Zamora

0 Helpful

rajnagpal
Level 1
Level 1

‎02-21-2006 09:34 PM

Hi James,

A complete detailed description on how to upgrade PIXes operating in a failover environment can be found here :

http://www.ciscotaccc.com/security/showcase?case=K73545150

This contains information for upgrading PIX firewalls operating on 6.x code to a 6.x version or upgrading PIX firewalls operating on code 6.x to 7.x version providing information on how to minimize the downtime for upgradation.

The article also provides information on ZERO DOWNTIME upgrade procedure for uprading the PIXes to 7.x code.

Hope it helps.

Regards,

Raj

0 Helpful

haris.cisco
Level 1
Level 1

‎02-22-2006 03:32 AM

hi,

just take a look at the Quick learning module at

http://www.cisco.com/E-Learning/bulk/public/celc/Cisco_QLM4_ASA_beta/course_skin.html

which provides a detail method for upgradation

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents