1. Home
  2. Cisco Systems
  3. thoughts on upgrading to PIX v7.xx

thoughts on upgrading to PIX v7.xx

Currently running 6.3(4) on 525 FO configuration.

Tested conversion on 515 with a copy of our live config - noticed a few commands did not "port" over properly. Not a big problem - but a problem none the less.

Given that, here is my take on how to migrate: -Since we have a FO config - turn off SECONDARY and upgrade the PRIMARY. -Fix any issues, and run the PRIMARY for a few days. (Note: NO config changes are to be made during that period.) -If the are problems, turn off the PRIMARY and run the SECONDARY with the 6.3(4) code on it. Figure out what went wrong - downgrade the PRIMARY if necessary. -If all is well, turn off the PRIMARY and upgrade the SECONDARY.

Appreciate any and all feedback.

Thanks, Rico

Reply to
RS
Loading thread data ...

You left out the scheduling of downtime with critical users and the scheduling of testing of critical applications immediately before and immediately after the cutover. The before part can be critical as it serves two purposes: testing the tests to ensure they actually work, and verifying that all critical applications actually are functional before you start so the cutover does not get blamed for breaking something which was already broken.

Another trick, you can fail over to the secondary, take the primary off line, and then do your upgrade. When the primary looks ready to go, take the secondary off line (unplug the network interfaces) and attach the primary back into the networks. You did remember to label all patch cables so you don't destroy your security by plugging the wrong network into any ports... This way, you don't have to wait for rebooting and can "painlessly" revert at any time to the previous configuration (very handy when you need to prove the problem is not attributable to the new configuration ;-)

Good luck and have fun!

Reply to
Vincent C Jones

Good points. I failed to mention downtime scheduling for brevity. Testing critical apps that go through the PIX is an interesting concept. This would take a monumental coordination effort around here

- so many folks to contact who would then have to "schedule" (or even figure out what the heck we want). LOL, it would never happen then! Almost a bit of CYA there too eh?? ;) (Doesn't matter - all problems to end users is the fault of the omnipotent "Network" anyway...) Thanks for the thoughts. R

Reply to
RS

NA: {12 pages on why the network has a serious crisis that must be fixed ASAP, with several proposals about how to fix the problem, and an examination of the ramifications and costs of each proposal, complete with parts list and negotiated pricing 40% below retail.}

Everyone: "You are too much of a perfectionist. You know we don't have time to read anything technical like that!"

NA: "Computer talkie-talkie have heap big problem. Thag must fix right now!"

Everyone: "Oh, you're just saying that so you can build up your little empire. And you never -explain- anything."

Later:

NA: "Network broke like Thag said, said, said."

Everyone: "It's -your- fault, Thag!"

Reply to
Walter Roberson

We did this upgrade back in August. We're running 7.02. Unfortunately this account does all their management through the PDM. And this has resulted in a lot of misconfiguration of the PIX. I can't believe Cisco still claims they even have a gui. Using the latest and greatest still feels like a beta product.

The upgrade required a line by line comparison of the NAT, STATIC and ACLS. A lot of rules were invalidated. Two ACCESS-GROUP commands detached ACLs. Lierally re-entered at least a hundred commands. Our PIX config is 4800 lines long, so it was only about 2%.

Going into production without doing the compare would have been disastrous.

DiGiTAL_ViNYL (no email)

Reply to
DigitalVinyl

To DiG ViN- That is why were are going to upgrade a single PIX in the failover set. (Leave the "un-upgraded" off) If there are a boat load of problems like that - we can revert to the 6.3x ver with minimal downtime. Work on the ver 7 config offline.

I've seen the commands changed a bit. Seems like nothing too major. Any commands/major changes that I should be aware of tho??

Thanks. RS

Reply to
RS

The site i'm working with has been using the PDM without any understanding of the CLI. Due to the looseness of the PDM there were a lot of misconfiguration and bad PDM definitons. The conversion:

- deleted some access-group commands,

- made duplicates of PDM groups practically elimianting the purpose of PDM groups; FOr instance if the group SMTPServers appeared under three different rules, the conversion created "SMTPServers_ref" & "SMTPServers_ref_1" because some logic made it impossible to re-use the same group

- many named objects were simply deleted (i believe we may have exceeded the expected number of objects for the conversion program).

- many rules were made null because of missing defintions

- some translations which worked before were broken after the upgraded

DiGiTAL_ViNYL (no email)

Reply to
DigitalVinyl

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.