cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
208
Views
0
Helpful
2
Replies

upgrading failover set- need help fast

mjsully
Level 1
Level 1

we are going to be upgrading 3 sets of PIX 515 firewalls,with each set currently utilizing failover. We are moving from 6.3(1) to 6.3(3). My question is this: Is it possible to upgrade and reboot these in sequence so that no functionality to the network is lost? I realize that the point of failover is to allow me to reload one without affecting anything, but what about after dropping a new image on it? Lets say I upgrade the primary on one set. As soon as I reload it the secondary should still kick in because at that point the secondary still thinks its running the same OS as the primary (don't think it takes effect until a reload?). Now when the primary is back up, I assume it will say something to the effect that it won't run in failover because it sees the secondary with a lower version. If true, no big deal as long as the primary is passing traffic. Now I should just be able to reload the secondary which will come back up and failover should work? I have read the documentation of upgrading, but it doesnt mention the specifics of what if you want to avoid disruption in network services. If any of that is confusing, to summarize, I want to upgrade these units with complete transparency to any users. Thanks

2 Replies 2

richardmcmahon
Level 1
Level 1

Here is an excert from the upgrade proceedure. It appears that the recommended method will cause downtime that lasts as long as it takes to boot the primary pix.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml#failover

Cheers,

Richard

Upgrading PIX Devices in a Failover Set with Minimal Downtime

To use this procedure, the PIX devices must be running PIX Software versions 5.1.x or later. These instructions are valid for all PIX devices that are capable of running in a failover set. For more information about failover, see How Failover Works on the Cisco Secure PIX Firewall.

Two different options are listed below for upgrading your PIX with minimal downtime. The first option is the safest way to upgrade your failover set. If anything goes wrong with the upgrade process, you would always have one operational PIX to pass your network traffic. The second option is simpler but riskier. The risk resides in the possibility that the new image loaded on the PIX devices is corrupt in some way. Both options are presented so that you can choose the best method for your specific network.

Option 1

This is a quick way to upgrade your failover set.

Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

Power off the Primary (this causes the Secondary to become active).

Disconnect all cables from the Primary (including failover cable).

Power on the Primary and attach a PC with a TFTP server on it.

Use copy tftp flash to upgrade the Primary.

Reload the Primary and verify the new version and configuration.

Power off the Primary.

Reconnect all cables back to the Primary.

Quickly power off the Secondary, and then immediately power on the Primary.

Note: Your downtime will occur while the Primary is booting up.

Once the Primary is up, it will be active and passing traffic.

Repeat steps 2 - 7, but for the Secondary PIX.

Power on the Secondary; it comes up as Standby.

Both PIX devices are now running the upgraded version and are back to normal operation.

Option 2

Here's another option for upgrading your failover set.

Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

Use the copy tftp flash command to copy the new PIX image to the Primary PIX.

Use the copy tftp flash command to copy the new PIX image to the Secondary PIX.

Power off both PIX devices.

Power on the Primary PIX.

Wait 10 Seconds (to ensure that the Primary PIX becomes the Active PIX).

Power on the Secondary PIX. It will come up at Standby.

Both PIX devices are now running the upgraded version and are back to normal operation

Richard -

if you follow option 1 and disconnect the primary and connect a PC with a TFTP server. How do you connect the PC? via COM1 and console port? Or do you have to configure the PC NIC to an IP on one of the PIX interfaces?

If the answer is console port in the copy tftp flash command what would the host name be since it is not an ip connection

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: