Re: Recommendations on PIX upgrade [7:10380]
I think you're overdoing the solution when you have an almost zero downtime solution ni front of you. Just fail the first unit let the 2nd take over. Then with the first one offline, upgrade it let the failover..well...failover ;) When done just make sure the config is correct on the first one and do whatever it takes to get the first one back online. I've never tried just shutting the failover box off to see if it would trigger back to the first box with a different OS but even if that fails just reboot the first one and it should come back up happy. Now your network is back the way it was with only 2 very small windows of downtime. Upgrade 2nd PIX and hook up failover. If you're concerned about the primary taking over again when you're trying to upgrade, don't. Just boot it up hitting ESC so it doesn't load the config so you can manually give it an IP, subnet, gateway, and tftp server address. Without the config loaded it won't be part of the failover. Allen - Original Message - From: Mark Smith To: Sent: Friday, June 29, 2001 1:53 AM Subject: Recommendations on PIX upgrade [7:10380] This may be a stupid question but that's never stopped me from asking before. At one site I have 2 UR 515's running in failover config. They are at 5.2(1) software. I'd like to upgrade them but can only afford an absolute minimum of down time (measured in seconds, maybe). From what I've read about the PIX units, for failover to work, I believe each unit must be configured identically - same hardware, OS version, configuration - or failover doesn't work. What my plan currently is to start by taking the standby PIX (PIX2) down and do a 6.0.1 upgrade. I guess the question that I have is, and here comes the stupid part, if I reconnect the two with PIX2 at 6.0.1 and PIX1 still at 5.2(1) will anything bad happen (my hair fall out, I contract an incurable STD, smoke come from either/both of the boxes)? Assuming that nothing horrible happens, when I take the PIX1 box down to upgrade it will PIX2 (now on a different OS version) detect that the hot PIX has dropped offline and come up as in failover? If it won't on it's own can I do a failover active or a similar command to force PIX2 to become active? Will the children play well together again after I do a 6.0.1 upgrade on PIX1? Or will I have to bring PIX2 down, upgrade it (while PIX1 is still up) and then bring PIX1 down (leaving PIX2 down), upgrade it and then bring both back up together once they are on the same OS version level? I realize that with a laptop that has TFTP server software connected to PIX1 and has the pix601.bin image on it the upgrade process doesn't take long. But if I choose the last method of taking both boxes down that, by the time that cables are switched around as required, box(es) are rebooted, bring the 2nd box up in monitor mode, copy the image, reboot, reconnect failover cabling (as needed), the process would probably measured in minutes of total down time before both would be back online. That might as well be days as far as my bosses are concerned. Just looking for alternatives. Thanks for any advice/experience/thoughts. Sorry if this doesn't belong in studygroup.com. I just know that there's a lot of experience and common sense here. (END stupid questions) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10399t=10380 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Recommendations on PIX upgrade [7:10380]
Thanks for the ideas, Allen. I'll probably just give that a try. I just am still not sure if, once I bring PIX1 back online after doing an upgrade on it and connect it to PIX2, and now they're at different versions, if the xlate table will sync back up on PIX1. If not and I make PIX1 hot and take PIX2 down for an upgrade to it, then it will just take a little while for that table to rebuild on PIX1 and folks will get timeouts during that rebuilding time. I'll give it a try though. Thanks. Quoting Allen May : I think you're overdoing the solution when you have an almost zero downtime solution ni front of you. Just fail the first unit let the 2nd take over. Then with the first one offline, upgrade it let the failover..well...failover ;) When done just make sure the config is correct on the first one and do whatever it takes to get the first one back online. I've never tried just shutting the failover box off to see if it would trigger back to the first box with a different OS but even if that fails just reboot the first one and it should come back up happy. Now your network is back the way it was with only 2 very small windows of downtime. Upgrade 2nd PIX and hook up failover. If you're concerned about the primary taking over again when you're trying to upgrade, don't. Just boot it up hitting ESC so it doesn't load the config so you can manually give it an IP, subnet, gateway, and tftp server address. Without the config loaded it won't be part of the failover. Allen - Original Message - From: Mark Smith To: Sent: Friday, June 29, 2001 1:53 AM Subject: Recommendations on PIX upgrade [7:10380] This may be a stupid question but that's never stopped me from asking before. At one site I have 2 UR 515's running in failover config. They are at 5.2(1) software. I'd like to upgrade them but can only afford an absolute minimum of down time (measured in seconds, maybe). From what I've read about the PIX units, for failover to work, I believe each unit must be configured identically - same hardware, OS version, configuration - or failover doesn't work. What my plan currently is to start by taking the standby PIX (PIX2) down and do a 6.0.1 upgrade. I guess the question that I have is, and here comes the stupid part, if I reconnect the two with PIX2 at 6.0.1 and PIX1 still at 5.2(1) will anything bad happen (my hair fall out, I contract an incurable STD, smoke come from either/both of the boxes)? Assuming that nothing horrible happens, when I take the PIX1 box down to upgrade it will PIX2 (now on a different OS version) detect that the hot PIX has dropped offline and come up as in failover? If it won't on it's own can I do a failover active or a similar command to force PIX2 to become active? Will the children play well together again after I do a 6.0.1 upgrade on PIX1? Or will I have to bring PIX2 down, upgrade it (while PIX1 is still up) and then bring PIX1 down (leaving PIX2 down), upgrade it and then bring both back up together once they are on the same OS version level? I realize that with a laptop that has TFTP server software connected to PIX1 and has the pix601.bin image on it the upgrade process doesn't take long. But if I choose the last method of taking both boxes down that, by the time that cables are switched around as required, box(es) are rebooted, bring the 2nd box up in monitor mode, copy the image, reboot, reconnect failover cabling (as needed), the process would probably measured in minutes of total down time before both would be back online. That might as well be days as far as my bosses are concerned. Just looking for alternatives. Thanks for any advice/experience/thoughts. Sorry if this doesn't belong in studygroup.com. I just know that there's a lot of experience and common sense here. (END stupid questions) [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10417t=10380 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Recommendations on PIX upgrade [7:10380]
Shouldn't take long. Clear XLATE can be done any time but it just knocks off streaming connections so that they have to reconnect. It will probably do the same thing if it has to rebuild where all they need to do is reconnect. No biggie if they're expecting it ;) - Original Message - From: Mark Smith To: Allen May Cc: Sent: Friday, June 29, 2001 11:41 AM Subject: Re: Recommendations on PIX upgrade [7:10380] Thanks for the ideas, Allen. I'll probably just give that a try. I just am still not sure if, once I bring PIX1 back online after doing an upgrade on it and connect it to PIX2, and now they're at different versions, if the xlate table will sync back up on PIX1. If not and I make PIX1 hot and take PIX2 down for an upgrade to it, then it will just take a little while for that table to rebuild on PIX1 and folks will get timeouts during that rebuilding time. I'll give it a try though. Thanks. Quoting Allen May : I think you're overdoing the solution when you have an almost zero downtime solution ni front of you. Just fail the first unit let the 2nd take over. Then with the first one offline, upgrade it let the failover..well...failover ;) When done just make sure the config is correct on the first one and do whatever it takes to get the first one back online. I've never tried just shutting the failover box off to see if it would trigger back to the first box with a different OS but even if that fails just reboot the first one and it should come back up happy. Now your network is back the way it was with only 2 very small windows of downtime. Upgrade 2nd PIX and hook up failover. If you're concerned about the primary taking over again when you're trying to upgrade, don't. Just boot it up hitting ESC so it doesn't load the config so you can manually give it an IP, subnet, gateway, and tftp server address. Without the config loaded it won't be part of the failover. Allen - Original Message - From: Mark Smith To: Sent: Friday, June 29, 2001 1:53 AM Subject: Recommendations on PIX upgrade [7:10380] This may be a stupid question but that's never stopped me from asking before. At one site I have 2 UR 515's running in failover config. They are at 5.2(1) software. I'd like to upgrade them but can only afford an absolute minimum of down time (measured in seconds, maybe). From what I've read about the PIX units, for failover to work, I believe each unit must be configured identically - same hardware, OS version, configuration - or failover doesn't work. What my plan currently is to start by taking the standby PIX (PIX2) down and do a 6.0.1 upgrade. I guess the question that I have is, and here comes the stupid part, if I reconnect the two with PIX2 at 6.0.1 and PIX1 still at 5.2(1) will anything bad happen (my hair fall out, I contract an incurable STD, smoke come from either/both of the boxes)? Assuming that nothing horrible happens, when I take the PIX1 box down to upgrade it will PIX2 (now on a different OS version) detect that the hot PIX has dropped offline and come up as in failover? If it won't on it's own can I do a failover active or a similar command to force PIX2 to become active? Will the children play well together again after I do a 6.0.1 upgrade on PIX1? Or will I have to bring PIX2 down, upgrade it (while PIX1 is still up) and then bring PIX1 down (leaving PIX2 down), upgrade it and then bring both back up together once they are on the same OS version level? I realize that with a laptop that has TFTP server software connected to PIX1 and has the pix601.bin image on it the upgrade process doesn't take long. But if I choose the last method of taking both boxes down that, by the time that cables are switched around as required, box(es) are rebooted, bring the 2nd box up in monitor mode, copy the image, reboot, reconnect failover cabling (as needed), the process would probably measured in minutes of total down time before both would be back online. That might as well be days as far as my bosses are concerned. Just looking for alternatives. Thanks for any advice/experience/thoughts. Sorry if this doesn't belong in studygroup.com. I just know that there's a lot of experience and common sense here. (END stupid questions) [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10423t=10380 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
