Upgrading Pix Failover from 6.3(4) to 6.3(5)

Hi All,

I would like to upgrade our Pixes from 6.3(4) to 6.3(5)  (I know 7.0 is out there but for different reasons, I prefer to wait a little while longer before I go down that Path) Up to now we have been using a Single pix with no failover, so the upgrade was straight forward. I have not done a PIX IOS upgrade on a PIX failover setup yet, so am a little nervous doing it without getting some advice.

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

munich up 118 days 22 hours

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 0050.54ff.185f, irq 11
1: ethernet1: address is 0050.54ff.1860, irq 10
2: ethernet2: address is 000d.88ef.7e64, irq 9
3: ethernet3: address is 000d.88ef.7e65, irq 9
4: ethernet4: address is 000d.88ef.7e66, irq 9
5: ethernet5: address is 000d.88ef.7e67, irq 9
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:          10
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has an Unrestricted (UR) license.

I had planned procedure as follows

pix(config)# copy tftp flash:image (active pix)
Give in image name
Yes to write
and then a reboot. Done

My question is what is the best way to do it when there is failover.
My plan of action was too take Secondary pix offline. Upgrade the primary Pix, reboot it. Upgrade the secondary pix while it is still offline (not connected to anything except laptop), connect failover cable again and then reboot,and hopefully it would synchronize without any problems.

I am sure cisco experts shiver in there boots when they here that suggestion :-), reason Why I am here looking forward to your solution on what the best procedure is, when it comes to a failover upgrade, as I am sure there is a easier way of doing this.

Thanks In advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Here's Cisco's official procedure:
If you don't have CCO account, you  may not be able to see that doc, so here's the pertinent part:

Option 1
This is a quick way to upgrade your failover set.

Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

Power off the Primary (this causes the Secondary to become active).

Disconnect all cables from the Primary (including failover cable).

Power on the Primary and attach a PC with a TFTP server on it.

Use the copy tftp flash command in order to upgrade the Primary.

Reload the Primary and verify the new version and configuration.

Power off the Primary.

Reconnect all cables back to the Primary.

Quickly power off the Secondary, and then immediately power on the Primary.

Note: Your downtime occurs while the Primary boots up.

Once the Primary is up, it is active and passes traffic.

Repeat steps 2 through 7 for the Secondary PIX.

Power on the Secondary. It comes up as Standby.

Both PIX devices now run the upgraded version and are back to normal operation.

Option 2
This is another option for your failover set upgrade.

Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

Use the copy tftp flash command in order to copy the new PIX image to the Primary PIX.

Use the copy tftp flash command in order to copy the new PIX image to the Secondary PIX.

Power off both PIX devices.

Power on the Primary PIX.

Wait ten seconds. This ensures that the Primary PIX becomes the Active PIX.

Power on the Secondary PIX. It comes up at Standby.

Both PIX devices now run the upgraded version and are back to normal operation.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
huwaAuthor Commented:
Nope  I have no CCo account, and appreciate the steps you have laid out.

Great, will need to organise this when there is little happening on our network, I am pretty sure t wil work as yo has desribed it.

Much appreciated
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.