Upgrading a PIX failover pair

Discussion in 'Cisco' started by John Caruso, Dec 19, 2005.

  1. John Caruso

    John Caruso Guest

    There used to be lengthy instructions in the PIX documentation about the
    Cisco-blessed way to upgrade a PIX failover pair, but I can't seem to locate
    that information now in the standard PIX documentation areas (for 6.3, 6.2,
    6.1, or 6.0). Maybe I'm just missing something obvious?

    Also, the Cisco method I'm talking about was overly complex, IMO, so: does
    anyone have a methodology that they feel is better? My usual approach has
    just been to do them one after the other with the other unit powered off,
    during a downtime window.

    This is for an upgrade from 6.3(3) to 6.3(5)...nothing major.

    - John
     
    John Caruso, Dec 19, 2005
    #1
    1. Advertising

  2. John Caruso

    Matty M Guest

    "John Caruso" <> wrote in message
    news:...
    > There used to be lengthy instructions in the PIX documentation about the
    > Cisco-blessed way to upgrade a PIX failover pair, but I can't seem to
    > locate
    > that information now in the standard PIX documentation areas (for 6.3,
    > 6.2,
    > 6.1, or 6.0). Maybe I'm just missing something obvious?
    >
    > Also, the Cisco method I'm talking about was overly complex, IMO, so: does
    > anyone have a methodology that they feel is better? My usual approach has
    > just been to do them one after the other with the other unit powered off,
    > during a downtime window.
    >
    > This is for an upgrade from 6.3(3) to 6.3(5)...nothing major.
    >
    > - John


    Hi,

    Yeah I did remember reading that document. I think I just upgraded the
    primary, then the secondary then just reboot the primary and the secondary
    about a few seconds after.

    Cheers

    Matt
     
    Matty M, Dec 20, 2005
    #2
    1. Advertising

  3. Matty M <> wrote:
    >
    >"John Caruso" <> wrote in message
    >news:...
    >> There used to be lengthy instructions in the PIX documentation about the
    >> Cisco-blessed way to upgrade a PIX failover pair, but I can't seem to

    >
    >Yeah I did remember reading that document. I think I just upgraded the
    >primary, then the secondary then just reboot the primary and the secondary
    >about a few seconds after.


    Matt, You have more faith than I do in the quality and backwards
    compatibility of firmware upgrades. Either that or you have
    incredibly long maintenance windows if you need to back out the
    changes.

    If the application is as downtime sensitive as the use of a failover
    PIX implies, I prefer to avoid touching the backup PIX until after
    the upgrade has been fully verified and passed all short term
    tests. It is usually much quicker to plug in the half a dozen or
    so network connections than it is to wait for it to boot up. So
    I upgrade the flash in the secondary, shut it down and disconnect
    it from the network, then bring it up with the new OS. The key is
    to verify that the configuration still looks right (line by line
    with a saved copy of what it was... you would be amazed at how much
    changes sometimes), make any fixes which are obvious, then disconnect
    the primary PIX and put the backup back on the network. Only after
    testing all critical applications is it time to upgrade the second
    PIX and put it back on line. Don't forget to make sure that all the
    tweaks made to the secondary are also made to the primary, and last
    but not least, test failover to make sure that that didn't get broken
    (the reason you upgrade the secondary first, otherwise you have to
    test failover, then failover again when you put the primary back on
    line). If you do it right, you can keep the service disruptions down
    to the equivalent of single failover and return to normalcy (two
    brief service disruptions for normal users, down and back for VPNs).

    Yes, it is a little more work. But it is a lot less panic when the
    upgrade turns out not to be 100% smooth. For a 6.3(3) to 6.3(4)
    type of upgrade it may be over kill.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Dec 21, 2005
    #3
  4. John Caruso

    niltinho

    Joined:
    Sep 4, 2006
    Messages:
    1
    Vicent,
    Do you think it is a big advantage to upgrade from 6.3(3) to 6.3(5), i seem to have quite e few issues with VPN tunnels and other strang behaviours. I was advised in the past that 6.3(5) is much more solid and smoth running than previous versions! do you agree?

    Your comments are very much appreciated.

    Thank you,

    Niltinho
     
    niltinho, Sep 4, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill Evans
    Replies:
    5
    Views:
    4,430
    Beverly Howard [Ms-MVP/MobileDev]
    Feb 3, 2005
  2. Alec Waters
    Replies:
    0
    Views:
    1,561
    Alec Waters
    Jun 9, 2004
  3. Replies:
    1
    Views:
    550
    Walter Roberson
    Sep 11, 2005
  4. Tom Pouce
    Replies:
    6
    Views:
    6,229
  5. Pit
    Replies:
    0
    Views:
    1,190
Loading...

Share This Page