Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Upgrading a PIX failover pair

0 views
Skip to first unread message

John Caruso

unread,
Dec 19, 2005, 5:43:26 PM12/19/05
to
There used to be lengthy instructions in the PIX documentation about the
Cisco-blessed way to upgrade a PIX failover pair, but I can't seem to locate
that information now in the standard PIX documentation areas (for 6.3, 6.2,
6.1, or 6.0). Maybe I'm just missing something obvious?

Also, the Cisco method I'm talking about was overly complex, IMO, so: does
anyone have a methodology that they feel is better? My usual approach has
just been to do them one after the other with the other unit powered off,
during a downtime window.

This is for an upgrade from 6.3(3) to 6.3(5)...nothing major.

- John

Matty M

unread,
Dec 19, 2005, 8:08:04 PM12/19/05
to

"John Caruso" <johnSPAMc...@myprivacy.ca> wrote in message
news:slrndqedse.tg.jo...@news.sbcglobal.net...

Hi,

Yeah I did remember reading that document. I think I just upgraded the
primary, then the secondary then just reboot the primary and the secondary
about a few seconds after.

Cheers

Matt


Vincent C Jones

unread,
Dec 20, 2005, 10:48:52 PM12/20/05
to
Matty M <m...@home.com> wrote:
>
>"John Caruso" <johnSPAMc...@myprivacy.ca> wrote in message
>news:slrndqedse.tg.jo...@news.sbcglobal.net...
>> There used to be lengthy instructions in the PIX documentation about the
>> Cisco-blessed way to upgrade a PIX failover pair, but I can't seem to
>
>Yeah I did remember reading that document. I think I just upgraded the
>primary, then the secondary then just reboot the primary and the secondary
>about a few seconds after.

Matt, You have more faith than I do in the quality and backwards
compatibility of firmware upgrades. Either that or you have
incredibly long maintenance windows if you need to back out the
changes.

If the application is as downtime sensitive as the use of a failover
PIX implies, I prefer to avoid touching the backup PIX until after
the upgrade has been fully verified and passed all short term
tests. It is usually much quicker to plug in the half a dozen or
so network connections than it is to wait for it to boot up. So
I upgrade the flash in the secondary, shut it down and disconnect
it from the network, then bring it up with the new OS. The key is
to verify that the configuration still looks right (line by line
with a saved copy of what it was... you would be amazed at how much
changes sometimes), make any fixes which are obvious, then disconnect
the primary PIX and put the backup back on the network. Only after
testing all critical applications is it time to upgrade the second
PIX and put it back on line. Don't forget to make sure that all the
tweaks made to the secondary are also made to the primary, and last
but not least, test failover to make sure that that didn't get broken
(the reason you upgrade the secondary first, otherwise you have to
test failover, then failover again when you put the primary back on
line). If you do it right, you can keep the service disruptions down
to the equivalent of single failover and return to normalcy (two
brief service disruptions for normal users, down and back for VPNs).

Yes, it is a little more work. But it is a lot less panic when the
upgrade turns out not to be 100% smooth. For a 6.3(3) to 6.3(4)
type of upgrade it may be over kill.

Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com

0 new messages