FWSM cluster Upgrades

narendra.dudhatra · ‎03-11-2017

Hi All,

I never worked on Cisco FWSM and need to complete upgrades ( 3.2.18 to 4.1.x) in cluster mode. FWSM that is running on Catalyst 6500 switch with THREE contents including admin. The Switch is running with s72033-ipservicesk9_wan-mz.122-33.SXJ10.bin with WS-SUP720-3B supervisor

Admin content does not have any IP configured so how to access FWSM through ASDM ?

What is the best method to upgraded this cluster ? I am bit scare as it is very legacy and Cisco stopped the support. It is in production and I do not find any test environment.

I really appreciate if someone who worked in FWSM can guide me.

Thanks,

Marvin Rhoads · ‎03-11-2017

You can run the upgrade from a session that you've initiated from the Catalyst switch.

session slot <number> processor 1

Make sure you are in the system execution space and follow the instructions here:

http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm41/configuration/guide/fwsm_cfg/swcnfg_f.html#wp1064044

It's actually pretty straightforward. It will require some downtime.

narendra.dudhatra · ‎03-11-2017

Many Thanks Marvin,

Is there any another way to upload software image onto cf:4 or cf:5 without assigning IP to admin contents? Can I upgrade standby unit first, fail over to standby FW and than upgrade former active FW after few days or it is recommended to upgrade both at the same time?

How can I roll back if upgrade fails or something goes wrong ?

Sorry to ask many basic question. I am very new here and never worked on Cisco FWSM so bit worry about rolling out in production.

Again many thanks for help

Marvin Rhoads · ‎03-11-2017

It's been a couple of years since I've touched one.

I believe you either need to assign an address to your Admin context (so you can copy files in system execution space) or go into the maintnenace partition and assign an address (must be in vlan 1 - may not be possible if you don't have a VLAN 1 SVI on the parent switch).

Is there a reason why they have you wrestling with these very old and no longer supported FWSMs just to upgrade them one last time?

narendra.dudhatra · ‎03-12-2017

Well, customer is planning to migrate its current infrastructure but will take bit longer than expected. Meanwhile security compliance team found that current FWSM software 3.1.18 has few vulnerabilities and has to upgrade FWSM to get the tick in the box.

I am worried about the roll back in case upgrade does not go as expected. Can I keep more than one boot up image in system partition and change the boot up sequence in case of roll back?

Thanks,

Narendra

Marvin Rhoads · ‎03-12-2017

I'd suggest opening a TAC case. They can assist in a more comprehensive manner in a high visibility production support case like this.

narendra.dudhatra · ‎03-14-2017

Thanks Marvin,

I requested customer to purchase a cisco support and it is in process.

Based on Cisco documents, I need to copy 4.1.x FWSM software image onto both FWSM flash, reload the primary and then secondary ( before primary comes online).

FWSM is running in multi contents so how can I copy current FWSM configuration with all contents onto TFTP server ?

How can I copy FWSM 4.1.x software image onto c:5 ( which is not a default) flash partition for test purpose?

If I need to roll back than after copying original FWSM 3.2.18 image into flash, do I still need to copy original configuration from TFTP to flash?

Many thanks