I have a Pix 525 running 5.2(5) code in production. We purchased another 525 with failover license only, to create a failover set. The problem is that this pix is running 6.1(2) code. I don't believe I can configure them in failover mode unless they have the same ios code. The goals are to upgrade both Pix to 6.1(4) code and configure them in stateful failover mode. I've read the upgrading pix white paper. It seems that my logical procedures would either down grade new pix to 5.2(5) code and set up failover first. Then upgrade them to 6.1(4). Or upgrade production Pix to 6.1(2), and connect the failover pix. Ensure failover is operational, then upgrade both to 6.1(4). Can someone please let me know what is the correct procedure?
2. Upgrade primary pix to 6.2(2). If necessary for your comfort level, let it run for a little while to assure yourself of its stability (I'd definitely recommend it over 6.1(x)
3. With the secondary off of the network, upgrade it to 6.2(2).
4. Then configure the primary for stateful failover IAW with the previously mentioned doc.
5. When the opportunity permits, test failover so you're convinced of how well it will work when you need it (better to schedule a short outage period then to have an unplanned one because you didn't have it configured the way you meant).
Not sure on Jeff's reasonings for suggesting 6.2(2), but I agree with him. My reasonings are later code in the PIX is always (alright, generally) more reliable than older code, specifically as we fix bugs. 6.2(1) did have some bugs, but 6.2(2) is pretty stable now. Later code in routers is not always the best thing to go with, but with the PIX I always suggest the latest code.
As for the upgrade path, I think Jeff outlined it pretty well. Upgrade the primary straight to 6.2(2) and let it run for a while. Upgrade the failover off-line at any time. At some point in the future, connect them together.
You should be able to go from 5.2 to 6.2 directly, but if you're really concerned you could go 5.2 -> 6.1 -> 6.2.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :