Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
0
Helpful
4
Replies

PIX Upgrade Procedure

ccoutts
Level 1
Level 1

‎09-06-2005 12:44 PM

Hi, could someone assist me in the correct upgrade procedure for a pair of PIX 535s in a failover scenario, without powering them down. The upgrade would be from 6.2 to 6.3.

Many thanks in anticipation.

Charles

Labels:
0 Helpful
4 Replies 4

jackko
Level 7
Level 7

‎09-06-2005 06:07 PM

To upgrade a failover pair of PIXes with the least amount of downtime, follow the steps below.

1. Force a failover to the secondary PIX by issuing the no failover active command on the primary PIX.

2. Shutdown the primary PIX and disconnect all network cables from the primary PIX.

3. Connect the inside interface of the primary PIX to the TFTP server with a crossover cable.

4. Follow the upgrade procedures for the primary PIX as given in Upgrading Software for the Cisco Secure PIX Firewall.

5. After the primary PIX is successfully upgraded, shut it down and reconnect all cables.

6. Shut down the secondary PIX, and immediately power up the primary PIX.

7. Verify that the primary PIX is now passing traffic running the new version of code.

8. Disconnect all network cables from the secondary PIX.

9. Follow the same upgrade procedures for the secondary PIX.

10. Once the secondary PIX has been successfully upgraded, power it off.

11. Reconnect the network cables to the secondary PIX and power it up.

12. Wait two minutes and verify that the secondary PIX is in standby mode and that ll interfaces have a status of Normal. The upgrade is complete.

Note: Downtime occurs when both PIXes are powered off and as the primary PIX boots up. This downtime is necessary because the PIXes cannot communicate to one another on different versions of code.

the above info comes from a tac case:

http://www.ciscotaccc.com/security/showcase?case=K73545150

0 Helpful

rating_is_vital
Level 1
Level 1
In response to jackko

‎09-07-2005 04:19 PM

Hi,

Any update?

0 Helpful

ccoutts
Level 1
Level 1
In response to rating_is_vital

‎09-08-2005 02:59 AM

What if you can't physically get to the boxes to power them down and disconnect cables though, would your suggestion be (once the image has been tftp'd to both boxes) to failover to the secondary. Then reload the primary, then after 10 seconds the secondary. Am I right in thinking that in doing it this way the Primary would come up as active?

Look forward to your reply.

Charles

0 Helpful

jackko
Level 7
Level 7
In response to ccoutts

‎09-18-2005 09:55 PM

generally no one would recommend upgrading the os remotely, in case the device freeze half way through. maybe discuss the issue further with the tac

0 Helpful
Customers Also Viewed These Support Documents