Re: Pix Failover Upgrade without downtime

armin.kraus · ‎08-05-2003

I am looking for any advice or hints on the process of upgrading a PIX515 failover Bundle from version 6.2 to 6.3 .

I have a document from CCO that lays out the step by step process. ( http://www.cisco.com/warp/public/110/upgrade.shtml#usingcommdupgrade )

The document describes two options, but there is always a minimal downtime during the upgrade process (at least the time for the Pix reboot).

I think, there should be a possibilty to upgrade both Pix 515 without downtime.

Thanks for any solutions !

gfullage · ‎08-06-2003

There isn't, although it is being worked on. The issue is that failover doesn't work with different versions of SW on the two PIX's, so if you're upgrading them then there has to be a point where they're swapped over from one to the other, unfortunately this requires a small outage.

8dstaicu · ‎08-07-2003

There is a third option.

But it's triky somehow. And you need to have console connection to both boxes.

The problem resides from the fact pix can't check if image was uploaded without any error.

Thats why Cisco recomands to have one box up&running.

And this means a short downtime.

I found another method: upload the image on both boxes; reload secondary; as soon as you see the secondary up reload the primary. If you don't do this very quick (1-2secs) you will get a lot of messages saying "mate run different software version" (something like that) and the failover will be disabled. But if you act quick you will not get any error and failover will remain enable.

The downtime is about 2-3 seconds - as soon as secondary box detect it is without primary and start building xlates and pass traffic.

When primary is up you can do a failover active to make primary box to be primary ;-) - but this is optional.

I did this few times and didn't had any problem.

You need to remember that despite this works perfect, Cisco doesn't offer support for.