How to Upgrade a Cisco Pix 515 With Serial Failover From 6.3 -> 8.0

By Thomas Vachon

Well it sounds simple doesn't it? Cisco says you reload the OS, you make a couple changes and voila, you have a working Pix 515 running the latest and greatest code (which by the way is the same code those ASA's run which cost quite a bit more). Well, not so fast.

First of all, make sure you meet the requirements for running anything over 6.3. This means a 515 or higher Pix (I do not recommend 515 but 515e's as the minimum as the code is much heavier and the Pentium II in the 515's are slower). Also, you need to have enough room on your flash. If you don't use the god forsaken Pix Device Manager (which by all accounts no one ever should) you are fine. Finally, you need RAM. Luckily, as long as you are not covered my SmartNet, feel free to crack open your Pix to reveal its true nature. It runs a Intel motherboard and PC-100 RAM. It supports a maximum of 256 MB (2x128mb) and RAM is cheap so go for it and upgrade it to the max. One caveat, is that you MUST run an unrestricted license to support 256 MB of RAM. I was able to upgrade a restricted version (as 128 MB is the minimum, but I soon found its flash chip was fried and bought a replacement 515e off the used market).

Ok so you pass the pre-req's. Now what to do, well you need 2 separate OS images. You need 7.2 and an 8.0 or greater. They are available on Cisco's website for registered users. Also, you need to make sure if you are stateful failover you have a free ethernet interface or sub-interface for replication (which I haven't done yet).

Now on to the procedure, Cisco's website is a little fuzzy on how to do this on a pair of failover 515's so this will be of the best use to you. This is certainly a maintenance window activity as doing it incorrectly will cause arp poisoning and other awfulness.

First, BACK UP YOUR CONFIG! (not that this has to be said) Then disconnect the serial cable between the two Pix's. Start the upgrade on the Primary Pix (the one with the Primary side of the Serial cable). Upgrade via: copy tftp: flash: from 6.3 to 7.2. The Pix will start complaining about re-writing rules, this is ok right now. One you are at the prompt, write your config and reboot again. From here you can now go to 8.0 via: copy tftp: flash:image.bin

Reboot the Pix again and you will be in 8.0. You may get some warnings about stateful failover (how to solve that hopefully coming later). Any other warnings should be looked and and confirmed as ok or fixed. Errors must be fixed at this point as well. Now comes the tricky part. For every interface which has a standby IP associated re-input the ip address line without the standby ip. Also make sure ALL failover lines are gone. Save your config and now its time to move to the second Pix.

This time the upgrade starts off a bit differently. Make sure the serial cable is disconnected (as it already should be) and write erase. You want a blank config for this. Reload and do the same 6.3 -> 7.2 (don't bother saving the config this time) and then 7.2 -> 8.0. At this time write erase again to be sure its a clean Pix. Power off the Secondary Pix and connect the serial cable on both ends.

Now put your additions back on your ip address lines (yes, you have to type it all out) and wr your config. Now do a show fail. It should report partner is powered off. This is correct as it should be. Finally in configure mode type "failover" on the Primary Pix. Boot up your Secondary Pix and go into configure and type "failover". Magically you should see "show fail" pair up and start replicating the conf over the serial link to the blank standby unit.

Once everything is up and good, you have upgraded from 6.3->8.0 and now have almost all the features of an ASA. This is a very worthwhile activity as it gives you a huge bump in features and ease of use. Once I get stateful failover working on a subinterface/Trunk, I will post how to finish off the job. However, do heed Cisco's warnings, doing stateful failover using a data bearing interface is NOT supported, it will not nat, blow away your acl's and every reference to that interface, just don't try it.

I hope this helps your upgrade go smoother than ours did (its only a mild concussion the doctor says from hitting our heads against the wall so much)