Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
2
Replies

upgrade image for 2 pix fw in failover

ctivig
Level 1
Level 1

‎04-22-2004 07:00 AM - edited ‎02-20-2020 11:21 PM

Hello all,

I have 2 pix firewalls configured in failover.

I want to perform an image upgrade on them.

What would be the best scenario for that. I am thinking of taking offline the standby, upgrade it, taking offline the primary , upgrade it, turning the primary online and then the secondary.

I am concerned of any issues that might arise from the sync that is supposed to happen.

Thanks,

C

0 Helpful
2 Replies 2

ctivig
Level 1
Level 1

‎04-22-2004 07:07 AM

Oh, I found the scenarion on cisco's site :-)

here it is:

Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the TFTP server.

Power off the Primary (this causes the Secondary to become active).

Disconnect all cables from the Primary (including failover cable).

Power on the Primary and attach a PC with a TFTP server on it.

Use copy tftp flash to upgrade the Primary.

Reload the Primary and verify the new version and configuration.

Power off the Primary.

Reconnect all cables back to the Primary.

Quickly power off the Secondary, and then immediately power on the Primary.

Note: Your downtime will occur while the Primary is booting up.

Once the Primary is up, it will be active and passing traffic.

Repeat steps 2 - 7, but for the Secondary PIX.

Power on the Secondary; it comes up as Standby.

Both PIX devices are now running the upgraded version and are back to normal operation.

0 Helpful

ehirsel
Level 6
Level 6

‎04-22-2004 07:20 AM

If you want to upgrade both at the same time, make sure you do a write mem on the active unit, and after that insure that the primary is active and fully online and operational before you start to upgrade the secondary.

I would also make sure that the interfaces of both units are labeled well, and disconnected, but keep the serial cable connected, after the power-down but before the upgrade.

In the past I have seen the secondary unit fail to stay unless the serial cable was connected to it - this was due to the fact that the secondary had the pix failover license, so that is why I recommend that the serial cable still being connected.

Normally the serial cable is marked and is still connected to both during the code update process so that each end knows whether it is primary or not. If you do not use the serial and instead use lan failover instead, then it is even more important to make sure that the primary is fully up before the secondary is powered up, and that you disconnect the interfaces so that there is no chance of having a sync issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card