Which Cisco SmartNet product do we need?

Posted on 2006-05-03
Last Modified: 2008-03-05
We've just obtained two Cisco PIX 515E's from our supplier, one with an UR license, and one with a FO license.

After spending some time trying to get them to work in a failover configuration, I suddenly realised that one of them (the UR one) is running 7.0(4), and the other is running 6.3(5). Our supplier is saying that we never made it obvious that we wanted to run them in failover mode, so we need to buy a SmartNet contract so we can upgrade the software on one of them.

Our supplier is saying that we need to buy CON-SAS-PKG4-VS (Cisco Packaged SMARTNet 24x7x4 - virtual solution - Category 4), but having got very confused in the past about Cisco support, I thought I'd seek a second opinion from the fine folks on here.
Is this really what we need, or would something else be more suitable (and cheaper)? I'm not fussed about the 24x7x4 part of things.
Also, would we get something 'tangible' for our money, as they're asking for £10.95 shipping for this, but does the 'virtual solution' part mean we'll just get something emailed to us, or would they actually need a courier to get something physical to us?

Just seeking some helpful advice and guidance through the confusing jungle of Cisco...

Oh, and before someone suggests it, I have tried downloading the software from, but my account doesn't allow me to download the PIX images.
Question by:KemalRouge
    LVL 28

    Expert Comment

    Not sure what that contract would cover, but I would think that CON-SNT-PIX515E would be sufficient. It will allow you to do software upgrades and next business day hardware replacement.
    LVL 5

    Expert Comment

    If the cisco products are brand new you should get free 90 day support including software upgrades.  You just need to create a cisco login and register the products.  

    I still think the smartnets are a good investment with the next business day warranty and phone support from Cisco.

    If the equipment is used you definately need to put these under smartnet to cover your but in case of failure.  

    LVL 12

    Assisted Solution

    Three axes here: service, response time, category.

    Service reflects whether you have software coverage (included with most SmartNet packages, but I never say never or always), hardware coverage, and/or on-site assistance with hardware coverage, in varying combinations.

    Response time indicates how quickly they'll bring you replacement hardware, if the problem is deemed to be hardware-related.  8x5xNBD means they'll have hardware there by Next Business Day for troubles during the business day.  24x7x4 means they'll have equipment to you within four hours for troubles found at any time (24x7).  There are other options.

    Category (PKG4) is a way of grouping similar-valued equipment together (in this case, category 4) and creating product codes for the category, rather than individual products.  CON-SNT-PIX515E is an example of a per-product code, which might get translated to CON-SNT-PKG4 by the time you actually see a packing slip or invoice.

    You have a standby unit, so hardware response may be of marginal value - your call.  And as others have said, you should be entitled to software support during the first 90 days.  You could potentially use that as your excuse to simply copy the PIXos over to the other unit, but I've never truly played with PIXen so I don't know if that's possible.
    LVL 79

    Accepted Solution

    pjtemplin has a good idea.
    Assuming that you want both to run 7.0(4):
    Setup a TFTP server on your network that allows send all/receive all files - no security.
    On the PIX with the 7.0(4) code, plug it into the network, same IP subnet
     pix#copy flash:image.bin tftp://<ipaddress>/pix704.bin

    Now you have another copy of the 704 code and on the PIX unit with 6.3:
     pix#copy tftp://<ipaddress>/pix704.bin flash:

    If you want them both to run 6.3x, just do the reverse.

    Expert Comment


    I've tried exporting the image to tftp using write net command, but had no luck. I thought that unlike the routers, PIX firewalls does not support exportin the images.

    I think that delivery charges makes sence. Last time I bought upgrade codes for out 501s, two sheets of A4 paper arrived in 60X50X30cm box, £10 is not too bad for the size. This was from PC World Business, UK. Another point that it took nearly 3 months to arrive.
    LVL 13

    Expert Comment

    You're correct about not being able to copy the OS file from PIX to TFTP with "write net". This is one thing that has always annoyed me about the PIX.The good thing is that Cisco changed it in 7.0 release. You need to use the "copy" command as lrmoore suggested. This will only work for the 7.0 PIX, not the 6.3 one (ie. 6.3 doesn't have the copy command and so there is no way to get a copy of this OS off the PIX).

    So, if you want to use 7.0.4 on both, simply copy from PIX to TFTP to other PIX. If you want to use 6.3.5 on both, then you have to get a copy of the 6.3.5 code from somewhere so that you can apply it to the second PIX.

    Someone suggested that as you have a failover unit that hardware support might not be needed. I would point out that if the second PIX only has a failover license, when the primary fails it will reboot every 24 hours until the primary is replaced. This is done so that you can't run a PIX with only a failover license as a production unit by itself. Depends on your environment whether this will be inconvenient or not.

    Author Comment

    Thanks so much for the help; the copying of the image from the 7.0(4) box to the 6.3(5) box worked a treat.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
    It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now