Upgrading Pix Failover from 6.3(4) to 6.3(5)

Posted on 2006-03-28
Last Modified: 2013-11-16
Hi All,

I would like to upgrade our Pixes from 6.3(4) to 6.3(5)  (I know 7.0 is out there but for different reasons, I prefer to wait a little while longer before I go down that Path) Up to now we have been using a Single pix with no failover, so the upgrade was straight forward. I have not done a PIX IOS upgrade on a PIX failover setup yet, so am a little nervous doing it without getting some advice.

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

munich up 118 days 22 hours

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 0050.54ff.185f, irq 11
1: ethernet1: address is 0050.54ff.1860, irq 10
2: ethernet2: address is 000d.88ef.7e64, irq 9
3: ethernet3: address is 000d.88ef.7e65, irq 9
4: ethernet4: address is 000d.88ef.7e66, irq 9
5: ethernet5: address is 000d.88ef.7e67, irq 9
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:          10
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has an Unrestricted (UR) license.

I had planned procedure as follows

pix(config)# copy tftp flash:image (active pix)
Give in image name
Yes to write
and then a reboot. Done

My question is what is the best way to do it when there is failover.
My plan of action was too take Secondary pix offline. Upgrade the primary Pix, reboot it. Upgrade the secondary pix while it is still offline (not connected to anything except laptop), connect failover cable again and then reboot,and hopefully it would synchronize without any problems.

I am sure cisco experts shiver in there boots when they here that suggestion :-), reason Why I am here looking forward to your solution on what the best procedure is, when it comes to a failover upgrade, as I am sure there is a easier way of doing this.

Thanks In advance
Question by:huwa
    LVL 79

    Accepted Solution

    Here's Cisco's official procedure:
    If you don't have CCO account, you  may not be able to see that doc, so here's the pertinent part:

    Option 1
    This is a quick way to upgrade your failover set.

    Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

    Power off the Primary (this causes the Secondary to become active).

    Disconnect all cables from the Primary (including failover cable).

    Power on the Primary and attach a PC with a TFTP server on it.

    Use the copy tftp flash command in order to upgrade the Primary.

    Reload the Primary and verify the new version and configuration.

    Power off the Primary.

    Reconnect all cables back to the Primary.

    Quickly power off the Secondary, and then immediately power on the Primary.

    Note: Your downtime occurs while the Primary boots up.

    Once the Primary is up, it is active and passes traffic.

    Repeat steps 2 through 7 for the Secondary PIX.

    Power on the Secondary. It comes up as Standby.

    Both PIX devices now run the upgraded version and are back to normal operation.

    Option 2
    This is another option for your failover set upgrade.

    Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

    Use the copy tftp flash command in order to copy the new PIX image to the Primary PIX.

    Use the copy tftp flash command in order to copy the new PIX image to the Secondary PIX.

    Power off both PIX devices.

    Power on the Primary PIX.

    Wait ten seconds. This ensures that the Primary PIX becomes the Active PIX.

    Power on the Secondary PIX. It comes up at Standby.

    Both PIX devices now run the upgraded version and are back to normal operation.

    LVL 2

    Author Comment

    Nope  I have no CCo account, and appreciate the steps you have laid out.

    Great, will need to organise this when there is little happening on our network, I am pretty sure t wil work as yo has desribed it.

    Much appreciated

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    This video discusses moving either the default database or any database to a new volume.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now