thoughts on upgrading to PIX v7.xx
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by RS on November 21, 2005, 10:40 am
Please log in for more thread options Tested conversion on 515 with a copy of our live config - noticed a few commands did not "port" over properly. Not a big problem - but a problem none the less. Given that, here is my take on how to migrate: -Since we have a FO config - turn off SECONDARY and upgrade the PRIMARY. -Fix any issues, and run the PRIMARY for a few days. (Note: NO config changes are to be made during that period.) -If the are problems, turn off the PRIMARY and run the SECONDARY with the 6.3(4) code on it. Figure out what went wrong - downgrade the PRIMARY if necessary. -If all is well, turn off the PRIMARY and upgrade the SECONDARY. Appreciate any and all feedback. Thanks, Rico | ||||||||||||||||||||||
|
Posted by Vincent C Jones on November 21, 2005, 11:14 am
Please log in for more thread options You left out the scheduling of downtime with critical users and the scheduling of testing of critical applications immediately before and immediately after the cutover. The before part can be critical as it serves two purposes: testing the tests to ensure they actually work, and verifying that all critical applications actually are functional before you start so the cutover does not get blamed for breaking something which was already broken. Another trick, you can fail over to the secondary, take the primary off line, and then do your upgrade. When the primary looks ready to go, take the secondary off line (unplug the network interfaces) and attach the primary back into the networks. You did remember to label all patch cables so you don't destroy your security by plugging the wrong network into any ports... This way, you don't have to wait for rebooting and can "painlessly" revert at any time to the previous configuration (very handy when you need to prove the problem is not attributable to the new configuration ;-) Good luck and have fun! -- Vincent C Jones, Consultant Expert advice and a helping hand Networking Unlimited, Inc. for those who want to manage and Tenafly, NJ Phone: 201 568-7810 control their networking destiny http://www.networkingunlimited.com | ||||||||||||||||||||||
|
Posted by RS on November 21, 2005, 11:32 am
Please log in for more thread options Good points. I failed to mention downtime scheduling for brevity.
Testing critical apps that go through the PIX is an interesting concept. This would take a monumental coordination effort around here - so many folks to contact who would then have to "schedule" (or even figure out what the heck we want). LOL, it would never happen then! Almost a bit of CYA there too eh?? ;) (Doesn't matter - all problems to end users is the fault of the omnipotent "Network" anyway...) Thanks for the thoughts. R | ||||||||||||||||||||||
|
Posted by Walter Roberson on November 21, 2005, 12:16 pm
Please log in for more thread options >(Doesn't matter - all problems
>to end users is the fault of the omnipotent "Network" anyway...) NA: {12 pages on why the network has a serious crisis that must be fixed ASAP, with several proposals about how to fix the problem, and an examination of the ramifications and costs of each proposal, complete with parts list and negotiated pricing 40% below retail.} Everyone: "You are too much of a perfectionist. You know we don't have time to read anything technical like that!" NA: "Computer talkie-talkie have heap big problem. Thag must fix right now!" Everyone: "Oh, you're just saying that so you can build up your little empire. And you never -explain- anything." Later: NA: "Network broke like Thag said, said, said." Everyone: "It's -your- fault, Thag!" -- If you lie to the compiler, it will get its revenge. -- Henry Spencer | ||||||||||||||||||||||
|
Posted by DigitalVinyl on November 21, 2005, 1:47 pm
Please log in for more thread options
>Currently running 6.3(4) on 525 FO configuration.
> >Tested conversion on 515 with a copy of our live config - noticed a >few commands did not "port" over properly. Not a big problem - but a >problem none the less. > >Given that, here is my take on how to migrate: > -Since we have a FO config - turn off SECONDARY and upgrade the >PRIMARY. > -Fix any issues, and run the PRIMARY for a few days. (Note: NO config >changes are to be made during that period.) > -If the are problems, turn off the PRIMARY and run the SECONDARY with >the 6.3(4) code on it. Figure out what went wrong - downgrade the >PRIMARY if necessary. > -If all is well, turn off the PRIMARY and upgrade the SECONDARY. > >Appreciate any and all feedback. > >Thanks, >Rico We did this upgrade back in August. We're running 7.02. Unfortunately this account does all their management through the PDM. And this has resulted in a lot of misconfiguration of the PIX. I can't believe Cisco still claims they even have a gui. Using the latest and greatest still feels like a beta product. The upgrade required a line by line comparison of the NAT, STATIC and ACLS. A lot of rules were invalidated. Two ACCESS-GROUP commands detached ACLs. Lierally re-entered at least a hundred commands. Our PIX config is 4800 lines long, so it was only about 2%. Going into production without doing the compare would have been disastrous. DiGiTAL_ViNYL (no email) | ||||||||||||||||||||||
| Similar Threads | Posted |
| thoughts on upgrading to PIX v7.xx | November 21, 2005, 10:40 am |
| Thoughts on PIX v7 cont... | December 9, 2005, 11:32 am |
| SOHO VPN design thoughts | September 21, 2005, 10:10 am |
| Thoughts on Catalyst 2948G-GE-TX? | June 23, 2005, 3:59 pm |
| upgrading the ios. | February 13, 2005, 6:32 pm |
| PIX 7.0.2 upgrading from 7.0.1. | July 29, 2005, 5:09 pm |
| Upgrading PIX 515 from 5.1 to 7.x | September 2, 2006, 1:05 am |
| Does the PIX 515 have to be rebooted after upgrading from PDM 3.0(1) to 3.0(3)? | August 10, 2005, 1:58 pm |
| UPGRADING 3550 SMI to EMI | August 12, 2005, 4:39 am |
| Upgrading IOS on 2500 | April 24, 2006, 6:54 pm |
| Upgrading PIX 515E FO | December 19, 2006, 2:46 pm |
| Upgrading 2500 IOS | January 7, 2007, 6:54 am |
| Upgrading IOS on 1841 | January 27, 2007, 3:25 pm |
| Upgrading FW on 2921 | October 15, 2007, 11:01 am |
| Upgrading IOS on uBRs | November 13, 2007, 1:04 pm |
>
>Tested conversion on 515 with a copy of our live config - noticed a
>few commands did not "port" over properly. Not a big problem - but a
>problem none the less.
>
>Given that, here is my take on how to migrate:
> -Since we have a FO config - turn off SECONDARY and upgrade the
>PRIMARY.
> -Fix any issues, and run the PRIMARY for a few days. (Note: NO config
>changes are to be made during that period.)
> -If the are problems, turn off the PRIMARY and run the SECONDARY with
>the 6.3(4) code on it. Figure out what went wrong - downgrade the
>PRIMARY if necessary.
> -If all is well, turn off the PRIMARY and upgrade the SECONDARY.
>
>Appreciate any and all feedback.
>
>Thanks,
>Rico