Re: Pix fail-over questions
- From: "www.BradReese.Com" <Reese@xxxxxxxxxxxxx>
- Date: 17 Jun 2006 08:13:01 -0700
Excellent that Dr. Vincent C. Jones, PE
http://www.bradreese.com/vincent-c-jones.htm
Is contributing to this thread as Vince Jones is the author of the
revered Addison Wesley Book:
High Availability Networking with Cisco
http://www.awprofessional.com/bookstore/product.asp?isbn=0201704552&aid=dcb9cea5-50c2-44d3-af02-9ab5cc199d74&rl=1
and the Addison Wesley article:
Configuration for Transparently Redundant Firewalls
http://www.awprofessional.com/articles/article.asp?p=23407&aid=dcb9cea5-50c2-44d3-af02-9ab5cc199d74
Which was adapted from Vince's book, High Availability Networking with
Cisco.
--------------------------------------------------------
How to upgrade the PIX Firewall software in a failover scenario.
The PIXes must be running version 5.1(x) or later to use this procedure
because it uses the copy tftp flash command.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1026589
It was introduced in PIX 5.1(x).
--------------------------------------------------------
To upgrade PIXes in a failover set by establishing a console connection
to the PIXes, perform these steps:
Step 1: Force a failover to the secondary PIX by issuing the
no failover active
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1029143
command on the primary PIX, or power off the primary PIX.
This causes the secondary PIX to become active.
Step 2: Disconnect all network cables from the primary PIX ( including
the failover cable ).
Step 3: Power on the primary PIX and attach a PC with a TFTP server on
it. Connect the inside interface of the primary PIX to the TFTP server
with a crossover cable.
Step 4: Issue the
copy tftp flash
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1026589
to upgrade the primary.
Perform the upgrade procedures for the primary PIX as given in:
Upgrading Software for the Cisco Secure PIX Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
Step 5: Reload the primary PIX and verify the new version, license keys
and features, configuration and so on.
Step 6: Power off the primary PIX.
Step 7: Re-connect all cables to the primary PIX.
Step 8: Quickly power off the secondary PIX, then immediately power on
primary PIX.
Verify that the primary PIX is now passing traffic running the new
version of code.
Note: Your downtime occurs while the primary is booting.
Step 9: Once the primary PIX is up, it becomes active and passes
traffic.
Step 10: Repeat steps two through seven for the secondary PIX.
Step 11: Power on the secondary PIX. It becomes the standby unit.
Wait two minutes and verify that the secondary PIX is in standby mode
and that all interfaces have a status of Normal.
Both PIXes are now running the upgraded version and back to normal
operation.
--------------------------------------------------------
To upgrade PIXes in a failover set through Telnet and/or Secure Shell (
SSH ) session, perform these steps.
Step 1: Open separate remote Telnet sessions to both the primary and
seconday PIXes.
Step 2: Perform a show failover to ensure that the primary PIX is the
active PIX.
Note: If it is not, issue the failover active command from the show
primary PIX to make it so.
Step 3: Enter config t mode on both PIXes.
Step 4: For recovery purposes, in case something goes wrong, copy the
running config command from the primary PIX to a text file, or issue
the
write net
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1027782
command from the primary PIX to save the config to the TFTP server.
Step 5: Issue the write standby command, followed by the write memory
command on the primary PIX to insure that the secondary PIX is
up-to-date, in case something happens to the primary PIX .
Step 6: Issue the copy tftp flash command on the primary PIX and wait
until it downloads the new PIX image from the TFTP server successfully.
Step 7: If the step 6 download is successful on the primary PIX, repeat
step six on the secondary PIX.
Note: At this point, a new PIX image has been downloaded to both the
primary and secondary PIX.
Step 8: On the primary PIX, press the Reset button on the front of the
PIX.
An alternative is turn off the power and turn it back on.
Step 9: Wait five seconds, then press the Reset button on the front of
the seconday PIX, or turn off the power and turn it back on.
Step 10: Wait about one minute for both PIXes to complete their resets,
then perform a separate Telnet to both primary and secondary PIXs.
Step 11: Verify through the
show version
http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fd881.html#wp1536220
command output on both PIXes that the new PIX image has been installed
successfully.
Step 12: Verify through the show failover command output on the primary
PIX that it is active, and verify that the secondary is in standby
mode.
Both PIXes are now running the upgraded version and back to normal
operation.
--------------------------------------------------------
To upgrade PIXes in a failover set remotely, initiate two Telnet ( or
SSH ) sessions to the PIXes.
Initiate one session to the primary and one session to the secondary.
Replace steps eight and nine ( see above ) with these steps:
Step 1: On the secondary ( standby ) PIX, type reload to reboot the
PIX.
Step 2: On the primary ( active ) PIX, type reload to reboot the PIX.
Note: The primary must be reloaded before the secondary comes back on
line.
This gives you only a few seconds to perform these steps.
Step 3: Wait about one minute for both PIXes to complete their resets,
then initiate another Telnet ( or SSH ) session to both PIXes.
Step 4: Verify through the show version command output that both PIXes
are running the new image.
Step 5: Verify through the show failover command output that the
secondary is active.
Step 6: On the primary PIX, issue the failover active command to force
it to become the active PIX.
Step 7: Both PIXes are now running the upgraded image and back to
normal operation.
When upgrading remotely, the secondary comes up first, so it is active
when this process is complete.
You issue the failover active command from the primary to force it to
be active.
Note: Downtime occurs when both PIXes are powered off and as the
primary PIX boots up.
This downtime is necessary because the PIXes cannot communicate to one
another on different versions of code.
--------------------------------------------------------
PIX version 7.0 introduced the ability to perform software upgrades of
failover pairs without impacting network uptime or connections flowing
through the units.
Version 7.0 introduced the ability to do inter-version state sharing
between security appliance failover pairs, allowing you to perform
software upgrades to maintenance releases for example, Version 7.0(1)
upgrading to 7.0(2)) without impacting traffic flowing through the
pair.
In active or standby failover environments or active/active
environments where the pair is not oversubscribed, more that 50 percent
load on each pair member.
--------------------------------------------------------
To perform the upgrade without impacting connections, back up current
configurations and perform these steps:
Step 1: Copy the image files to the device, and select the image to
boot by issuing the
boot system
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d030.html#wp1030929
command.
Step 2: Reload the standby unit, which causes it to boot the new image.
Step 3: When the standby unit is in standby_ready state, force a
failover so it becomes active.
Re-load the new standby unit. Now both units are running the new image.
For more information refer to:
Configuring Failover
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html
For the process to work smoothly, it is better to reload the standby
unit in the procedure instead of the active unit.
In a situation where the units are Active/Active, and you do not want
to impact connections on the secondary active unit, you must change the
failover groups on the unit to achieve the same active/standby state
before performing the steps.
If it is necessary to upgrade to a later version of software, you must
upgrade to the next version for the upgrade to avoid impacting network
uptime.
For example, if you need to upgrade from version 7.0(1) to version
7.0(3), you must upgrade from version 7.0(1) to version 7.0(2), then to
version 7.0(3).
For detailed information visit:
Performing Zero Downtime Upgrades for Failover Pairs
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b92.html#wp1053398
Hope this helps.
Brad Reese
Cisco Repair
http://www.bradreese.com/cisco-big-iron-repair.htm
.
- Follow-Ups:
- Re: Pix fail-over questions
- From: J
- Re: Pix fail-over questions
- References:
- Pix fail-over questions
- From: J
- Pix fail-over questions
- Prev by Date: Re: DMVPN & Remote Access VPN
- Next by Date: Re: Will proxy-arp fix this incorrectly subnetted network?
- Previous by thread: Re: Pix fail-over questions
- Next by thread: Re: Pix fail-over questions
- Index(es):
Relevant Pages
|
