Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX 515E F/O memory upgrade

From: Victor Williams <vbwilliams () neb rr com>
Date: Mon, 05 Dec 2005 13:45:24 -0600
Firstly, we are aware that VPN connections will disconnect on
failover, we've experienced this in the past. Are there any other
sessions that will be dropped during a forced failover.
You need to disconnect the pair of firewalls and do the firmware upgrade separately. What you are implying will not work. You can't do a major upgrade of those firewalls with them connected via active/failover setup. 


Secondly, there is conflicting information in the docs. The 6.3
Command Reference states that the two devices must be identical wrt
version, flash size, ram size etc. The Upgrade to 7.0 guide and the
Hardware Installation Guide both state that there must be at least
the same amount of memory. Since we will be upgrading the standby
unit to 128Mb first and then failing over from the primary unit, the
second statement will be fulfilled. Can anyone comment on this as to
who is correct or if we will need momentary downtime with complete
loss of connectivity.
You will need complete loss of connectivity where each firewall is concerned. Like I said above, you need to disconnect each to do a major version upgrade...and then it has to be rebooted. Doing the failover unit first will allow everyone to stay connected as long as possible. Doing the active unit last will allow you to disconnect users for as long as it takes to reboot. Once rebooted, you can then power on the failover unit and it should get the config from the primary unit.
Note: not all the command equivalents will transfer over. I'm 99.9999% sure you will have to re-setup all of your VPN stuff. PIX 7 doesn't even support PPTP either. So, you're going to be SOL there.
In my honest opinion, there is no reason to go to PIX OS 7. It is still VERY buggy, and the current DoS bug for both PIX OS 7 and 6.3 affects OS 7 a lot more than 6.3. There is a good workaround...but they don't advise putting it into high-traffic production environments. I would wait at least another revision to version 7 before even thinking about going to it. 


Victor Williams
Network Architect
SSCP, RHCE
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: