RE: PIX 525 failover

From: Fabrice Bobes (study@6colabs.com)
Date: Sun May 09 2004 - 17:18:48 GMT-3

• Next message: Howard C. Berkowitz: "Re: VPN and IDS boxes in Security Lab."
• Previous message: MMoniz: "RE: Bgp summary"
• Maybe in reply to: Richard Dumoulin: "RE: PIX 525 failover"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It may be a good idea to use the bug toolkit before upgrading.
For example, if you run OSPF and multiple NTP servers, the upgrade will
break the failover! (CSCeb78876) Actually, you don't need multiple NTP
servers but one NTP server to break the failover.

Option 2 is what I use as well and a maintenance window is highly
recommended :-)

Thanks,

Fabrice (Security, R&S)
6colabs.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
MMoniz
Sent: Sunday, May 09, 2004 9:11 AM
To: Richard Dumoulin; ccie done; ccielab@groupstudy.com;
security@groupstudy.clm
Subject: RE: PIX 525 failover

I have done this a few times with very minimal service interuption. Bsically
just the time it takes the PIX
primary to reboot. As Richard says though, depending on your Company policy
I would ask for a brief outage. At least you are covered should things not
work out.

I have used this option and have always been successful.

Option 2
Here's another option for upgrading your failover set.

Copy the PIX Firewall binary image (pixnnn.bin) to the root directory of the
TFTP server.

Use the copy tftp flash command to copy the new PIX image to the Primary
PIX.

Use the copy tftp flash command to copy the new PIX image to the Secondary
PIX.

Power off both PIX devices.

Power on the Primary PIX.

Wait 10 Seconds (to ensure that the Primary PIX becomes the Active PIX).

Power on the Secondary PIX. It will come up at Standby.

Both PIX devices are now running the upgraded version and are back to normal
operation.

Here is the link

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00
80094a5d.shtml#failover

mike

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Richard Dumoulin
Sent: Sunday, May 09, 2004 11:53 AM
To: ccie done; ccielab@groupstudy.com; security@groupstudy.clm
Subject: RE: PIX 525 failover

Even if it is possible I would always ask for a maintenance window --Richard

-----Original Message-----
From: ccie done [mailto:ccie1@lycos.com]
Sent: domingo, 09 de mayo de 2004 17:35
To: ccielab@groupstudy.com; security@groupstudy.clm
Subject: OT: PIX 525 failover

Hi Folks ;

I would like to know if possible that two Cisco PIX 525 in failover
configuration can be upgraded without service interruption, they are in
production network and it really helps if possible to do

They are currently running 6.3.1 and the target release is 6.3.3.

anyone come accross something like that ?

• Next message: Howard C. Berkowitz: "Re: VPN and IDS boxes in Security Lab."
• Previous message: MMoniz: "RE: Bgp summary"
• Maybe in reply to: Richard Dumoulin: "RE: PIX 525 failover"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jun 02 2004 - 11:12:08 GMT-3