We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Upgrading Pix Failover from 6.3(4) to 6.3(5)

huwa
huwa asked
on
Medium Priority
901 Views
Last Modified: 2013-11-16
Hi All,

I would like to upgrade our Pixes from 6.3(4) to 6.3(5)  (I know 7.0 is out there but for different reasons, I prefer to wait a little while longer before I go down that Path) Up to now we have been using a Single pix with no failover, so the upgrade was straight forward. I have not done a PIX IOS upgrade on a PIX failover setup yet, so am a little nervous doing it without getting some advice.

Hardware:
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

munich up 118 days 22 hours

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 0050.54ff.185f, irq 11
1: ethernet1: address is 0050.54ff.1860, irq 10
2: ethernet2: address is 000d.88ef.7e64, irq 9
3: ethernet3: address is 000d.88ef.7e65, irq 9
4: ethernet4: address is 000d.88ef.7e66, irq 9
5: ethernet5: address is 000d.88ef.7e67, irq 9
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:          10
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has an Unrestricted (UR) license.

--------------------------------------------------------------------------------------------
I had planned procedure as follows

pix(config)# copy tftp flash:image (active pix)
Give in image name
Yes to write
and then a reboot. Done

My question is what is the best way to do it when there is failover.
My plan of action was too take Secondary pix offline. Upgrade the primary Pix, reboot it. Upgrade the secondary pix while it is still offline (not connected to anything except laptop), connect failover cable again and then reboot,and hopefully it would synchronize without any problems.

I am sure cisco experts shiver in there boots when they here that suggestion :-), reason Why I am here looking forward to your solution on what the best procedure is, when it comes to a failover upgrade, as I am sure there is a easier way of doing this.

Thanks In advance
Hugh
Comment
Watch Question

Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Here's Cisco's official procedure:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml#failover
If you don't have CCO account, you  may not be able to see that doc, so here's the pertinent part:

Option 1
This is a quick way to upgrade your failover set.

Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

Power off the Primary (this causes the Secondary to become active).

Disconnect all cables from the Primary (including failover cable).

Power on the Primary and attach a PC with a TFTP server on it.

Use the copy tftp flash command in order to upgrade the Primary.

Reload the Primary and verify the new version and configuration.

Power off the Primary.

Reconnect all cables back to the Primary.

Quickly power off the Secondary, and then immediately power on the Primary.

Note: Your downtime occurs while the Primary boots up.

Once the Primary is up, it is active and passes traffic.

Repeat steps 2 through 7 for the Secondary PIX.

Power on the Secondary. It comes up as Standby.

Both PIX devices now run the upgraded version and are back to normal operation.

Option 2
This is another option for your failover set upgrade.

Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

Use the copy tftp flash command in order to copy the new PIX image to the Primary PIX.

Use the copy tftp flash command in order to copy the new PIX image to the Secondary PIX.

Power off both PIX devices.

Power on the Primary PIX.

Wait ten seconds. This ensures that the Primary PIX becomes the Active PIX.

Power on the Secondary PIX. It comes up at Standby.

Both PIX devices now run the upgraded version and are back to normal operation.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Nope  I have no CCo account, and appreciate the steps you have laid out.

Great, will need to organise this when there is little happening on our network, I am pretty sure t wil work as yo has desribed it.

Much appreciated
Hugh
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.