Re: upgrading code on FWSM w/failover

tbulliard · ‎05-13-2005

What is the proper procedure for upgrading code on primary and secondary fwsm's?

didyap · ‎05-19-2005

You can upgrade FWSMs in failover setup. Here are the steps:

Power off Primary (this causes Secondary to become active).

Disconnect all cables from Primary (including failover cable).

Power on Primary and attach a PC with a tftp server on it. Upgrade FWSM primary.

Reload Primary and verify the new version, config... etc...

Power off Primary.

Reconnect all cables back to the Primary.

Quickly power off Secondary, and then immediately Power on Primary

Once the Primary is up it will be Active, and passing traffic.

Repeat same previous steps the Secondary FWSM.

Power on the Secondary, it will come up as Standby.

This completes the upgrade process.

tbulliard · ‎05-19-2005

The FWSM doesn't have any cables. It's a blade that goes in a catalyst 6500. It doesn't have interfaces either. It uses SVI's and it communicates using the backplane.

a.kiprawih · ‎05-20-2005

Hi,

One of the option to use is as follow:

Note:-

- FWSM operation will continuously running even after upgrading the code. New version will take effect after reboot.

- You can optionally disable failover services between FWSN blades.

Option 1 - FWSM co-exist in the same switch

-------------------------------------------

1. Determine which blade is active, ie FWSM-01 (active), FWSM-02 (standby)

2. Connect your pc/laptop to a switch port (same box) and assign it to the same FWSM INSIDE VLAN.

3. Console into the Switch and access FWSM-01's console from the switch

Telnet to default IP, e.g 127.0.0.121 if FWSM-01 in slot 12; or telnet to the actual IP assigned to the Inside interface;

or use "session" command" (recommended).

4. Make sure you can ping & have your TFTP server software + FWSM code ready.

5. Issue the "copy tftp flash" command. Follow the remaining instruction.

6. To upgrade PDM, use "copy tftp flash:pdm". You normally upgrade your PDM as well.

7. Do not reload yet the active FWSM-01. The firewalling services remain ok and will not be interrupted unless you reboot.

At this time, it still run on old code.

8. Session into the Standby FWSM-02 and issue "standby active" to manually force the standby FWSM-02 become active.

9. Repeat the same step 3 through 6 on the new elected FWSM-02.

10. Go to back to the FWSM-01. Reboot this blade to enable it run on new code.

11. Return to the FWSM-01 (currently active FWSM). Reboot this blade to enable it run on new code.

**** Decision to reboot the last blade @ active FWSM depends is up to you - causing minimum downtime ********

Option 2 - 2 separate switches

------------------------------

1. Determine which blade is active, ie FWSM-01 (active), FWSM-02 (standby)

2. Disable the failover services (no failover) between FWSM blades. Traffic will continuously pass thru active Switch+FWSM.

3. Follow Step 2 through 7 as stated in Option 1 (above).

4. Do not reboot the FWSM-01 yet. Firewalling services will remain intact.

5. On the 2nd switch + FWSM-02, connect your pc/laptop to a switch port (same box) and assign it to the same FWSM INSIDE VLAN.

6. Disable failover service (no failover).

6. Follow Step 3 through 6 as stated in Option 1 (above).

7. Reboot FWSM-02. It will now run on new FWSM code.

8. Session back to the Switch where FWSM-01 installed. Activate the failover services again (failover).

You'll see error message on failover services as both blades run on different codes.

9. You cannot skip minimum downtime (reboot FWSM-01) if you want both blades to run on new codes immediately.

Otherwise, wait for appropriate time to do it.

Rgds,

AK