Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
2
Replies

Upgrading PIX 535s

admin_2
Level 3
Level 3

‎03-31-2004 12:57 PM - edited ‎02-20-2020 11:19 PM

I am upgrading a failover set, two 535s from 6.1(4) to 6.3.3. My Secondary is licensed to run in failover secondary mode only. I concerned that if I take both devices down and disconnect the failover links the Secondary will become a toaster when it boots. TAC has told me that I have 24 hours before my Secondary will hose without talking to the Primary. If anyone has some insight please pass it along. I would hate to be hit with cold reality at 4 AM.

0 Helpful
2 Replies 2

mike-greene
Level 4
Level 4

‎03-31-2004 01:28 PM

Hi,

Cisco probably does not recommend this but you asked for some insight so here it goes. Depending on the location on the firewalls, in the past I have uploaded the IOS to the primary PIX. After that is done, Upload the IOS to the failover PIX. At this point, both firewalls have the correct IOS there just waiting to be rebooted. Reeboot the primary, the failover takes over and starts passing traffic. Wait about 15 or 20 seconds and reboot the failover. Just about that time the primary will come back up and be running the new IOS. A few seconds later the failover comes back and has the new IOS. If you time it correctly (or if you have a console to the primary PIX) your downtime should be very little and both your firewalls will be upgraded. Like I said before, this probably is not recommended by Cisco but you wanted some insight.

Hope that helps.

0 Helpful

scoclayton
Level 7
Level 7
In response to mike-greene

‎03-31-2004 05:40 PM

Great advice and definetly recommended. More or less a modified version of option #2 in the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml#failover

Scott

PS - We are working on some methods to upgrade a failover pair of PIX's with no downtime. Stay tuned.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card